>That is excellent news. I would be very interested in seeing your >results as you come across them. The 1.8% overhead on the execve call is >acceptable in my situation, I would be very interested to see a >syscall-by-syscall breakdown if you are taking it that far. Having >actual figures to show people of what auditing would cost them would be >really valuable.
execve is probably the least interesting system call to measure; it's hugely expensive (copying large amounts of data from the old address space to the kernel, tearing down the address space and then copying it back out) Casper
