Hello Casper, > Specifically prior to S9 auditing performance was abysmal but even now > the overheads imposed are horrendous at times. One reason being is > that auditing is implemented as a syscall wrapper; this causes a lot > of work to be done twice rather than just once in the syscall proper. >
Does the auditing overhead operate in a similar manner to DTrace where the overhead is only apparent when the specific probes are enabled? For example, if I am only interested in auditing exec calls, will simply enabling auditing have an overhead on the say read and write calls or is the overhead limited to the call being audited? Kind Regards, Nathan Dietsch > > Casper > > >
