Audit overhead and default rules
Steve Grubb
sgrubb at redhat.com
Mon Feb 10 20:06:19 UTC 2014
On Monday, February 10, 2014 11:05:38 AM Andrew Lutomirski wrote:
> On a default Fedora installation, every system call incurs a fair
> amount of overhead due to syscall auditing. This happens despite the
> fact that syscalls aren't actually audited, except as part of AVC
> denials.
>
> The overhead is something like 20-40ns per syscall, and the total time
> to do a simple syscall with auditing completely disabled is about 70ns
> on my laptop. So this is actually a large effect.
Then pass -s=nochange on the auditd command prompt. This means that auditd
will not attempt to enable auditing. When auditing is not enabled, it will not
build an audit context and syscalls are slightly faster, but you will loose a
tiny bit of information that selinux would have liked to have.
> What would people think about changing the default audit rules to add
> something like '-t task,never'?
This filter is almost useless. Its never used in real life because it creates
inauditable processes which is exactly opposite of what people normally want.
> This would remove the overhead, but it would come at the cost of removing
> the syscall records from
> /var/log/audit/audit.log when an AVC denial occurs.
>
> This could make debugging selinux errors a bit harder, but it would be
> easy for users to re-enable full auditing.
>
> I've been playing with fixing this in the kernel, but it's a mess.
Its also simple to fix in your config.
-Steve
More information about the devel
mailing list