On Thursday, September 29, 2011 11:33:09 AM LC Bruzenak wrote:
> I was looking at some strace results from a process using the
> audit_log_user_message call and I think I see how I can eliminate some
> ioctls and /proc/self lookups by setting the hostname/tty parameters to
> non-NULL pointers pointing to NULL values.
>
> But the exename is another story. It does a lookup each time. We have
> persistent processes each of which submit 100Ks (on the way to 1Ms) of
> audit_log_user_message events daily, so it would make a difference.
>
> I was thinking about a patch to store off the exename statically if one
> isn't already in the pipeline. Let me know; I'll submit something if
> not.
You might try this:
diff -urp audit-2.1.4.orig/lib/audit_logging.c audit-2.1.4/lib/audit_logging.c
--- audit-2.1.4.orig/lib/audit_logging.c 2011-09-06 14:17:06.000000000
-0400
+++ audit-2.1.4/lib/audit_logging.c 2011-09-30 09:08:50.000000000 -0400
@@ -240,7 +240,7 @@ int audit_log_user_message(int audit_fd,
{
char buf[MAX_AUDIT_MESSAGE_LENGTH];
char addrbuf[INET6_ADDRSTRLEN];
- char exename[PATH_MAX*2];
+ static char exename[PATH_MAX*2]="";
char ttyname[TTY_PATH];
const char *success;
int ret;
@@ -262,7 +262,8 @@ int audit_log_user_message(int audit_fd,
else
strncat(addrbuf, addr, sizeof(addrbuf)-1);
- _get_exename(exename, sizeof(exename));
+ if (exename[0] == 0)
+ _get_exename(exename, sizeof(exename));
if (tty == NULL)
tty = _get_tty(ttyname, TTY_PATH);
else if (*tty == 0)
> The other question is on the auditd side. IIUC on each event the
> write_to_log function is checking the logfile size. Seems to me that we
> could limit the fstat checks to say one every ten events or so. Any
> problems there?
We can probably use the return value of fprintf() +1 (for the NULL byte) and
just keep the running total in memory.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
