Thanks a lot :-)
I still have several questions:
1. My audit rule is auditctl -a exit,always -S open -F success=0,
why in the audit record, the success field is no. And if I use the
opposite rule auditctl -a exit,always -S open -F success!=0, the
records' "success" field is yes?
2. In some audit records, the "success" is yes, but with a non-zero
exit code. When does this situation occur(A syscall successes with a
non-zero exit code)?
3.Have anyone ever tested the system performance impact when the
kernel audit functionality is turned on?
I've tested with the following audit rules
auditctl -a exit,always -S read -F success=0
auditctl -a exit,always -S readv -F success=0
auditctl -a exit,always -S write -F success=0
auditctl -a exit,always -S writev -F success=0
auditctl -a exit,always -S fork -F success=0
auditctl -a exit,always -S clone -F success=0
auditctl -a exit,always -S truncate -F success=0
auditctl -a exit,always -S ftruncate -F success=0
auditctl -a exit,always -S link -F success=0
auditctl -a exit,always -S unlink -F success=0
auditctl -a exit,always -S symlink -F success=0
auditctl -a exit,always -S chown -F success=0
auditctl -a exit,always -S chmod -F success=0
auditctl -a exit,always -S fchown -F success=0
auditctl -a exit,always -S fchmod -F success=0
auditctl -a exit,always -S kill -F success=0
auditctl -a exit,always -S mmap -F success=0
auditctl -a exit,always -S signal -F success=0
I've tested the source code compile benchmark with the
kscope1.6.0(a source reading toll). My platform is Fedora 8, 2.6.23
kernel version, and Intel Pentium(R) processor1.7GHZ, 512M main
memory.
Without any audit, the kscope compile time is as follows
0m32s total time
0m14s user space time
0m3s sys space time
With the above audit rule set, the kscope source compile time is as follows
1m4s total time
0m14s user space time
0m15s sys space time
It turned out that with some of the audit rule set, the kscope
source compile process takes double time. I wonder why it has so heavy
impact on the system's performance.
I also read some papers(<<Automatic high-performance
reconstruction and recovery>>) on other audit systems. The system's
impact is relatively low,about 6%~8% with all syscall information
audited.
> On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
> > type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
> > syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
> > items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
> > key=(null)
> > The "success" fields of the record is no, what does it mean? Does it
> > represent the syscall is failed?
>
> Yes
>
>
> > And what does "exit" field mean? Does it represent the syscall's exit
> > code?
>
> Yes.
>
>
> > I'm also confused with the meaning of the fields of "a0" "a1" "a2"
> > and "a3".
>
> Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not
> dereferenced, you would just have the address.
>
> I have something that tells you about the meaning of various fields here:
>
> http://people.redhat.com/sgrubb/audit/audit-parse.txt
>
> Look in the field names section.
>
> -Steve
>
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
