утилита для помощи в управлении системой аудита ядра (a utility to assist controlling the kernel's audit system)
PERFORMANCE TIPS
Syscall rules get evaluated for each syscall for every program.
If you have 10 syscall rules, every program on your system will
delay during a syscall while the audit system evaluates each
rule. Too many syscall rules will hurt performance. Try to
combine as many as you can whenever the filter, action, key, and
fields are identical. For example:
auditctl -a always,exit -F arch=b64 -S openat -F success=0
auditctl -a always,exit -F arch=b64 -S truncate -F success=0
could be re-written as one rule:
auditctl -a always,exit -F arch=b64 -S openat -S truncate -F success=0
Also, try to use file system auditing wherever practical. This
improves performance. For example, if you were wanting to capture
all failed opens & truncates like above, but were only concerned
about files in /etc and didn't care about /usr or /sbin, its
possible to use this rule:
auditctl -a always,exit -S openat -S truncate -F dir=/etc -F success=0
This will be higher performance since the kernel will not
evaluate it each and every syscall. It will be handled by the
filesystem auditing code and only checked on filesystem related
syscalls.
