Hi Peoples, Has anyone had experience with using the audit libraries for application level audit - i.e. your application log events through audit_log_user_message() library calls?
In particular I am interested in your experiences where you have applications generating a lot of audit records through this interface, but at the same time, implementing, say the STIG rules along with execve auditing. That is adding -a exit,always -F arch=b32 -S execve -k cmds -a exit,always -F arch=b64 -S execve -k cmds to the stig.rules file found in either /usr/share/doc/audit-2.2 or the contrib directory in the audit source. Although I haven't done any testing yet, my supposition is that, on systems that are doing a lot of execve's, then the use of the audit_log_user_message() interface slows down the applications as they are waiting on the netlink kernel queues. Any comments before I start my investigations? Regards Burn -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
