BIG performance hit with auditd on large cpus (>64 cpus)

Klaus Lichtenwalder lichtenwalder at gmail.com
Fri May 19 21:09:07 UTC 2017


Am 19. Mai 2017 23:00:24 MESZ schrieb Steve Grubb <sgrubb at redhat.com>:
>On Friday, May 19, 2017 4:22:24 PM EDT Klaus Lichtenwalder wrote:
..  
>> These are the audit rules:
>> auditctl -l
>> -a always,exit -S all -F path=/etc/environment -F perm=wa -F
>auid>=400 -F
>> key=CRIT_CONF
>
>Clipped all the other rules. Out of curiosity, why do you include -S
>all in 
>every rule? That will automatically send the syscall into the syscall
>rules 
>which affects the performance of every single syscall in every single 
>application. The majority of your rules are file watches which
>generally takes 
>a different route that is more efficient.
>
>To fix this, just remove "-S all" in every rule. I bet it works much
>better 
>after that.
>
>-Steve

Hi Steve,

Actually, I can't tell where this originated... Somehow this got included somehow sometimes, and probably all other rules copied that. Will check in Monday, as nobody is available to start those jobs this weekend
Thanks
Klaus
-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.




More information about the Linux-audit mailing list