Linux audit performance impact
Paul Moore
paul at paul-moore.com
Thu Feb 19 03:32:34 UTC 2015
On Wed, Feb 18, 2015 at 5:32 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 15/02/18, Paul Moore wrote:
>> I would imagine a scenario where we introduced the new format in stages:
>>
>> #1 - Move in-kernel audit record string generation completely into
>> kernel/audit*.c. Benefits everyone regardless of the audit format.
>
> Ok.
>
>> #2 - Introduce a versioned audit API. The most difficult step for
>> obvious reasons.
>
> That infrastructure should already be in place. We just converted over
> the version field to a bitfield listing the availability of features.
> An initial call can be made to find out if it is supported, then use the
> feature switching bitfield to enable it. We could alternately make a
> different unicast socket available signalling its availability.
Some of the most basic parts of a versioned API are present, but there
are *big* chunks missing.
>> #3 - Deprecate the old/existing audit record format, make it a Kconfig
>> option that defaults to off and emit a warning when the old formatting
>> is used. This will be a year, and most likely more, after step #2.
>>
>> #4 - Remove the old/existing audit record code. Once again, this
>> would happen a couple of years after step #3.
>
> I suspect in practice stesp #3 and #4 could take a lot longer.
You may be right, I consider the times above as minimums. However,
I'm not completely shutting the door on moving things along sooner; I
don't think we have a ton of users. We'll find out.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list