Hi, Based on finding an unnecessary function call to selinux_task_ctxid when evaluating syscall rules, I built a new kernel and re-ran the same tests.
rules seconds loss 0 47 0% 10 53 11% 25 68 43% 50 99 109% 75 132 178% 90 157 232% The 75 rule performance hit is now 178% instead of 184%. So there is some notable improvement in performance. For comparison, I also loaded the 90 rules config into RHEL4. There is only a 6% performance hit compared to no rules. I think the bulk of that comes from evaluating the 10 syscall rules rather than the file system audit code. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
