On a stock Fedora installation: $ sudo auditctl -l No rules
Nonetheless TIF_SYSCALL_AUDIT is set and the __audit_syscall_entry and __audit_syscall_exit account for >20% of syscall overhead according to perf. This sucks. Unless I'm missing something, syscall auditing is *off*. How hard would it be to arrange for TIF_SYSCALL_AUDIT to be cleared when there are no syscall rules? (This is extra bad in kernels before 3.13, where the clear call for TIF_SYSCALL_AUDIT was completely missing.) --Andy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
