BIG performance hit with auditd on large systems (>64 CPUs)
Klaus Lichtenwalder
klic at mnet-online.de
Tue May 23 14:45:20 UTC 2017
Am 23. Mai 2017 14:51:29 MESZ schrieb Steve Grubb <sgrubb at redhat.com>:
>Hello,
>
>On Tue, 23 May 2017 11:05:18 +0200
>Klaus Lichtenwalder <klic at mnet-online.de> wrote:
>> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
>> <stephenwb at gmail.com>:
>> >Agree with Steve's suggestion re: "-S all". Also might help if you
>> >sort
>>
>> I now know where -S all stems from... Some watches add a -S all by
>> themselves... Probably created an audit.rules file by textually
>> working from there and duplicating rules
>
>What is the source of your rules listed? Is it coming from auditctl -l
>or from /etc/audit/audit.rules? There were a couple releases of
>auditctl where I think -S all may have been added but if I remember it
>was fixed a few releases later. The rules that come from disk would be
>more accurate.
>
Well, they came from auditctl -l
System in question is RHEL6.8, can't tell actual package version right now, as I'm on the road...
But thanks, will keep in mind to stick to the files...
Klaus
--
Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten
More information about the Linux-audit
mailing list