On Friday, January 20, 2012 03:06:13 PM Peter Moody wrote: > I'm trying to run some tests so I can find locally relevant numbers, > but I was wondering if you had any idea what sort of performance hit > I'd be incurring by logging every successful execve. > > To be sure, I consider this a bad idea and I'm actually looking to > disuade people of it.
It is a bad idea. Think of shell scripting.You can get 100s of execve's for just one command on a command line. You'll never find what you think you wanted. I think we did some testing over 5 years ago. There was a micro-benchmark here: http://people.redhat.com/sgrubb/files/lspp-perf.tar.gz I think it was testing the access syscall. But you can substitute what you want. I have not benchmarked the audit system in years. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
