>Can you provide a pointer to the "always on" audit project? By always
>on, do you mean turning it on early in the boot process or do you mean
>that is is on by default. Changing to have auditing on by default would
>make the job of selling the benefits a lot easier. Enabling a sensible
>level of auditing by default (that could be tuned to be more verbose if
>neccessary) would be a really good idea.
The "always on auditing" project tries to fix two problems:
- always run the auditing code, allowing on-the-fly switch from
audited to non-audited code
- fix the sometimes serious performance overhead auditing currently
imposes even when no audit events are generated.
The first bit makes it a *lot* easier to experiment with auditing on
live systems; the second one makes it much more acceptable in production
environments.
Specifically prior to S9 auditing performance was abysmal but even now
the overheads imposed are horrendous at times. One reason being is
that auditing is implemented as a syscall wrapper; this causes a lot
of work to be done twice rather than just once in the syscall proper.
Casper
