Re: BIG performance hit with auditd on large cpus (>64 cpus)
Am 19. Mai 2017 23:00:24 MESZ schrieb Steve Grubb <sgrubb(a)redhat.com>:
On Friday, May 19, 2017 4:22:24 PM EDT Klaus Lichtenwalder wrote:
..
> These are the audit rules:
> auditctl -l
> -a always,exit -S all -F path=/etc/environment -F perm=wa -F
auid>=400 -F
> key=CRIT_CONF
Clipped all the other rules. Out of curiosity, why do you include -S
all in
every rule? That will automatically send the syscall into the syscall
rules
which affects the performance of every single syscall in every single
application. The majority of your rules are file watches which
generally takes
a different route that is more efficient.
To fix this, just remove "-S all" in every rule. I bet it works much
better
after that.
-Steve
Hi Steve,
Actually, I can't tell where this originated... Somehow this got included somehow
sometimes, and probably all other rules copied that. Will check in Monday, as nobody is
available to start those jobs this weekend
Thanks
Klaus
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.