On Tuesday 11 April 2006 12:11, Amy Griffis wrote: > -a exit,always -S chmod -S fchmod -S chown -S fchown -S lchown > -S creat -S open -S truncate -S ftruncate -S mkdir -S rmdir -S unlink > -S rename -S link -S symlink -F watch=/etc/sysconfig/console > > Now you don't have any rules for access(), so using it as the test > case is much more interesting.
OK, I re-worked auditctl to use these syscalls instead of "all". I then re-ran the tests on the same kernel as I was testing on since lspp.17 has slab debug stuff turned on again. rules seconds loss 0 50 0% 10 52 4% 25 56 12% 50 69 38% 75 81 62% 90 87 74% The 75 rule performance hit is now 62%. So there is some improvement in performance. RHEL4 has a 6% hit for 90 rules. We've narrowed the difference, but I don't consider this solved. I also don't like the idea of handling this by all those syscalls or using "all" because user space tools could get out of sync with the kernel. On any kernel upgrade, there could be a new syscall that allows file system access. The user space tools wouldn't know about it and wouldn't provide automatic coverage. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
