Linux audit performance impact
Paul Moore
paul at paul-moore.com
Fri Feb 20 21:25:37 UTC 2015
On Fri, Feb 20, 2015 at 1:37 PM, Ed Christiansen MS <edwardc at ll.mit.edu> wrote:
> As a guy who administers Irix today I can say the auditing on Irix is
> extensive, but I'd hesitate to reference it in this context because
> the satd does NOT give you the option to choose success or failure
> audits. You get both and it fills your disk fairly quickly. I've
> had to disable it during periods of high activity because it will
> halt your system (also not configurable) if it runs out of space. So,
> maybe it didn't require much in the way of structure, but it left an awful
> lot to be desire in the implementation.
I'm only planning a change in the format, not the content of the audit
records so you'll still have success/fail indicators like you do now.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list