Analyze memory footprint of auditing framework

anantk17 / linux

Kernel source tree for Raspberry Pi Foundation-provided kernel builds. Issues unrelated to the linux kernel should be posted on the community forum at https://www.raspberrypi.org/forum

Other

0 stars 0 forks source link

Analyze memory footprint of auditing framework #2

Open anantk17 opened 4 years ago

anantk17 commented 4 years ago

Figuring out the memory footprint of each audit record as it flows through the system (gen -> netlink -> auditd -> file). This will help with understanding additional memory requirements when it comes to actually recommending additional hardware costs associated with enabling audit in real-time systems

anantk17 commented 4 years ago

Each audit record is tracked in the form of an audit_buffer from audit_log_start to audit_log_end, i.e till gen -> send to netlink. https://github.com/anantk17/linux/blob/31118476b9fa410bfa0257538848e9cd24248deb/kernel/audit.c#L202-L211

anantk17 commented 4 years ago

audit_context contains a field called aux which contains data about auxiliary tasks associated with current tasks. This results in additional log entries being generated for each syscall.

It might make sense to check how this varies with syscalls. That should give us a direct way to get a sense of the difference in the audit delays based on different syscalls.