Re: [2.6.16 PATCH] Connector: Filesystem Events Connector

From: Yi Yang
Date: Thu Mar 23 2006 - 19:41:20 EST

Next message: john stultz: "Re: 2.6.16-mm1"
Previous message: Rafael J. Wysocki: "Re: 2.6.16-mm1"
In reply to: Arjan van de Ven: "Re: [2.6.16 PATCH] Connector: Filesystem Events Connector"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Arjan van de Ven wrote:

On Wed, 2006-03-22 at 22:58 +0800, Yi Yang wrote:

This patch implements a new connector, Filesystem Event Connector,
the user can monitor filesystem activities via it, currently, it
can monitor access, attribute change, open, create, modify, delete,
move and close of any file or directory.

how is this not redundant functionality with the audit subsystem ?

If you open Audit option, audit subsystem will audit all the syscalls, so it adds big overhead for the whole system,
but Filesystem Event Connector just concerns those operations related to the filesystem, so it has little overhead,
moreover, audit subsystem is a complicated function block, it not only sends audit results to netlink interface, but also
send them to klog or syslog, so it will add big overhead.

I think you can look File Event Connector as subset of audit subsystem, but File Event Connector is a very lightweight
subsystem.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: john stultz: "Re: 2.6.16-mm1"
Previous message: Rafael J. Wysocki: "Re: 2.6.16-mm1"
In reply to: Arjan van de Ven: "Re: [2.6.16 PATCH] Connector: Filesystem Events Connector"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]