On Thu, Mar 01, 2007 at 02:03:41PM -0800, Steve G wrote:
> > > The code is not tested with FC7, because libauparse (from
> > > audit-libs-devel) is broken in FC7 now.
>
> Right, audit 1.5 should be out soon and has the hidden variable problem fixed. If
> you link statically, I don't think there is a problem. Never-the-less 1.5 will be
> out soon.
Cool.
> >I don't have any numbers (yet), but I expect that audit rules for all
> > open(), stat(), ... have a negative performance impact for kernel.
>
> Yes, they do have an impact. But depending on what's needed, they can probably be
> combined to 1 rule.
It's one rule:
rc |= audit_rule_syscallbyname_data(audit_rule, "open");
rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");
if (rc < 0)
goto err;
rc = audit_add_rule_data(rac->fd, audit_rule,
AUDIT_FILTER_ENTRY, AUDIT_ALWAYS);
I'll try to check it and prepare some numbers. Maybe it's really so
fast. No clue now.
> > I think for FC7 it's fine keep it for advanced uses only. I hope we will
> > found a way how integrate the collector to distro.
>
> Actually, I think we could probably fix this too, but may need some time to
> address a couple kernel problems that this would impose. We might want to change
> the audit rule evaluation strategy to do all rules rather than first match. This
> is so that the rules for boot monitoring won't interfere with rules for security
> monitoring. There might be a few other tweaks, too.
Sounds good. It's nothing urgent.
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
