Re: BIG performance hit with auditd on large systems (>64 CPUs)
Am 23. Mai 2017 14:51:29 MESZ schrieb Steve Grubb <sgrubb(a)redhat.com>:
Hello,
On Tue, 23 May 2017 11:05:18 +0200
Klaus Lichtenwalder <klic(a)mnet-online.de> wrote:
> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
> <stephenwb(a)gmail.com>:
> >Agree with Steve's suggestion re: "-S all". Also might help if you
> >sort
>
> I now know where -S all stems from... Some watches add a -S all by
> themselves... Probably created an audit.rules file by textually
> working from there and duplicating rules
What is the source of your rules listed? Is it coming from auditctl -l
or from /etc/audit/audit.rules? There were a couple releases of
auditctl where I think -S all may have been added but if I remember it
was fixed a few releases later. The rules that come from disk would be
more accurate.
Well, they came from auditctl -l
System in question is RHEL6.8, can't tell actual package version right now, as I'm
on the road...
But thanks, will keep in mind to stick to the files...
Klaus
--
Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten