Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   auditctl    ( 8 )

утилита для помощи в управлении системой аудита ядра (a utility to assist controlling the kernel's audit system)

PERFORMANCE TIPS

Syscall rules get evaluated for each syscall for every program.
       If you have 10 syscall rules, every program on your system will
       delay during a syscall while the audit system evaluates each
       rule. Too many syscall rules will hurt performance. Try to
       combine as many as you can whenever the filter, action, key, and
       fields are identical. For example:

auditctl -a always,exit -F arch=b64 -S openat -F success=0 auditctl -a always,exit -F arch=b64 -S truncate -F success=0

could be re-written as one rule:

auditctl -a always,exit -F arch=b64 -S openat -S truncate -F success=0

Also, try to use file system auditing wherever practical. This improves performance. For example, if you were wanting to capture all failed opens & truncates like above, but were only concerned about files in /etc and didn't care about /usr or /sbin, its possible to use this rule:

auditctl -a always,exit -S openat -S truncate -F dir=/etc -F success=0

This will be higher performance since the kernel will not evaluate it each and every syscall. It will be handled by the filesystem auditing code and only checked on filesystem related syscalls.