Open anantk17 opened 4 years ago
Each audit record is tracked in the form of an audit_buffer
from audit_log_start
to audit_log_end
, i.e till gen -> send to netlink.
https://github.com/anantk17/linux/blob/31118476b9fa410bfa0257538848e9cd24248deb/kernel/audit.c#L202-L211
audit_context
contains a field called aux
which contains data about auxiliary tasks associated with current tasks. This results in additional log entries being generated for each syscall.
It might make sense to check how this varies with syscalls. That should give us a direct way to get a sense of the difference in the audit delays based on different syscalls.
Figuring out the memory footprint of each audit record as it flows through the system (gen -> netlink -> auditd -> file). This will help with understanding additional memory requirements when it comes to actually recommending additional hardware costs associated with enabling audit in real-time systems