auditd and redhat cluster
Burn Alting
burn at swtf.dyndns.org
Wed Mar 2 09:16:54 UTC 2016
On Tue, 2016-03-01 at 16:53 -0500, Paul Moore wrote:
> On Tue, Mar 1, 2016 at 4:25 PM, Burn Alting <burn at swtf.dyndns.org> wrote:
> > Steve, Paul,
> >
> > I have yet to put together a bug report, or researched to see if the
> > problem exists upstream, but have discovered recursive directory rules
> > can be expensive on the kernel. The rules below on a system running
> > rabbitmq can see get_task_cred and audit_filter_rules above 10% each.
> >
> > -w /etc/pam.d -p wa -k PAM_Mods
> > -w /boot -k BOOT_Mods
> > -w /boot/grub/grub.conf -p war -k BOOT_Mods
> > -w /etc/security -p wa -k Security_Mods
> > -w /etc/sysconfig -p wa -k Sysconfig_Mods
> > -w /etc/ld.so.conf.d -p wa -k Library_Mods
> > -w /etc/inittab -p wa -k StartUp_Mods
> > -w /etc/rc.d -p wa -k StartUp_Mods
>
> Some of the work that Richard did with fsnotify for audit-by-exec
> could be used to help make filesystem watches much more efficient,
> especially the case where you are watching a lot of files in a common
> directory.
Interestingly, if we convert all the above into possibly 100's of
specific file watches (for all files in the tree's at a given time), the
system does not take a hit any more.
Again, as soon as I can, I will produce a test configuration.
I will be interested in Philippe's results, if he has/can test my
suggestion.
Rgds
More information about the Linux-audit
mailing list