HTTP Tests
These are preliminary tests of the system, and currently very rudimentary.
The back-end machine, which has a default Apache installation on it, was set up
4 different ways:
- With no auditing
- With auditing turned on, but the network disabled
- With both auditing and networking enabled
- With auditing over the network on, but no read or write auditing.
From another computer, I ran wget -r (which recursively retrieves a webpage, following
links) on the back-end, to see how it performed. The results indicate that running the
auidtdaemon significantly slows down the computer being audited.
I believe much of this inefficiency could be reduced by either moving the auditdaemon
completely into the kernel (eliminating huge copies to userspace). Notice that the
performance once reads/writes are turned off is nearly as good as the performance with
auditing turned off entirely.
Another possible way to improve performance would be to
change the way that the auditdaemon reads from the kernel. Currently, the auditdaemon
reads from the kernel, then writes to the socket. Perhaps if asynchronous I/O were
used so that the auditdaemon would read from the kernel as fast as possible, and write
to the socket only when data was available, this would improve performance because the
kernel would not hit its "throttle" limit as often (which causes it to block tasks).
Furthermore, the way that the auditdaemon performs reads is currently very inefficient.
It reads only to the exact boundaries of events, by figuring out their length. Rather
than doing this, it should read as much data as it can get, and parse the events out of
the stream.
Mike Shea
Last modified: Fri Mar 14 15:08:23 PST 2003