Linux audit performance impact
Paul Moore
paul at paul-moore.com
Thu Feb 12 16:31:35 UTC 2015
On Thu, Feb 12, 2015 at 11:10 AM, Viswanath, Logeswari P (MCOU OSTL)
<logeswari.pv at hp.com> wrote:
> Hi all,
>
> We did profiling of the kernel (using perf tool) during our performance test and below were the top 4 functions for the overhead.
>
> 11.33% loader1 [kernel.kallsyms] [k] format_decode
> 10.40% loader1 [kernel.kallsyms] [k] memcpy
> 7.46% loader1 [kernel.kallsyms] [k] number.isra.1
> 6.99% loader1 [kernel.kallsyms] [k] vsnprintf
>
> I was unable to attach the entire profiling data of the kernel because it exceeds the limit of 80KB.
>
> >From the perf data, we believed the overhead is because of invoking audit_log_format function multiple times.
> We changed the code to reduce the number of times this function is called.
> With this change the performance degradation is 20% now compared to the performance without auditing.
> Without this change the performance degradation is 200% compared to the performance without auditing.
>
> We can publish the code change done tomorrow.
>
> Please let me know your feedback on this idea.
This doesn't surprise me, this due to the string based record format -
it's expense to generate those strings. I'd be interested in seeing
your patches.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list