On Monday, August 27, 2012 11:02:24 AM Peter Moody wrote: > Does anyone know the number of audit rules that can be installed on a > system before having to traverse the list of rules on every syscall > starts to take a noticeable amount of time? I'm assuming no rules that > generate excessive logs, so nothing like '-a exit,always -S execve' or > '-a exit,always -S open'.
We haven't done any official benchmarking in a long time. The way the rules are written very much affects performance, though. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
