On Sep 24, 2007, at 13:32 , Nathan Dietsch wrote: >> On Sep 21, 2007, at 13:40 , Nathan Dietsch wrote: >> >>> Is there any data within Sun as to how expensive auditing is? >>> Obviously >>> any measurement would be workload-specific, but removing the IO >>> component of logging, is there a finger-in-the-air figure of what >>> sort >>> of overhead auditing generates per audit event? Is there roughly a >>> common set of operations performed for each audit event? >>> >> I'm working on that, but I haven't had time to finish it. You can >> read >> about my initial findings here: >> <http://blogs.sun.com/martin/entry/measuring_the_impact_of_auditing> > That is excellent news. I would be very interested in seeing your > results as you come across them. The 1.8% overhead on the execve > call is > acceptable in my situation, I would be very interested to see a > syscall-by-syscall breakdown if you are taking it that far. Having > actual figures to show people of what auditing would cost them > would be > really valuable. > Unfortunately it doesn't look as favorable for other syscalls. The quick ones, like getpid(2) is just a lookup of a structure in the kernel, and auditing is a much more complex thing which takes much longer than the actual getpid(2).
My initial measurements shows that 79% of the total time on the CPU (884 nanoseconds on my test system, Sun Fire v20z) for getpid(2) is spent in the auditing code, as it has to gather a lot of information that must be recorded in the audit record. cheers, /Martin -- Martin Englund, Security Engineer, .Sun Engineering, Sun Microsystems Inc. Email: martin.englund at sun.com Time Zone: GMT-3 PGP: 1024D/AA514677 "The question is not if you are paranoid, it is if you are paranoid enough."
