<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-US" link="blue" vlink="purple"> <div class="WordSection1"> Test program tries to open the same file that exists on the system.<o:p></o:p> <o:p> </o:p> From: Satish Chandra Kilaru [mailto:iam.kilaru@gmail.com] Sent: Thursday, January 29, 2015 10:44 PM To: Richard Guy Briggs Cc: Viswanath, Logeswari P (MCOU OSTL); Steve Grubb; linux-audit@redhat.com Subject: Re: Linux audit performance impact<o:p></o:p> <o:p> </o:p> Try configuring external syslog server...that way ur disk is free of I/o...<o:p></o:p> <div> Are you opening/closing same file again and again or different files?<o:p></o:p> </div> <div> If external syslog server is not possible, try to open files from a disk that is not used by syslog... On Thursday, January 29, 2015, Richard Guy Briggs <<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>> wrote:<o:p></o:p> <blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> On 15/01/29, Viswanath, Logeswari P (MCOU OSTL) wrote: > Please read my question as “Is there any option to configure kaudit > not to log audit records to syslog? when auditd not running.” Yeah, remove audit=1 from the kernel command line, or set audit=0 in its place. This will stop all but AVCs and if auditd has ever run since boot. If audit=0 is on the kernel boot line, it will be impossible to run auditd. There is a feature request that is likely coming soon that could be useful: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1160046" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1160046</a> "If no audit daemon is running, but an audit multicast subscriber is around, then the kernel shouldn't forward audit data to kmsg" > From: Viswanath, Logeswari P (MCOU OSTL) > Sent: Thursday, January 29, 2015 11:49 AM > To: 'Satish Chandra Kilaru'; Steve Grubb > Cc: <a href="javascript:;">linux-audit@redhat.com</a> > Subject: RE: Linux audit performance impact > > Is there any option to configure kaudit not to log audit records to syslog when auditd is running? > This way we can assess the impact of enabling audit without involving disk I/o overhead. > > From: Satish Chandra Kilaru [mailto:<a href="javascript:;">iam.kilaru@gmail.com</a>] > Sent: Thursday, January 29, 2015 9:12 AM > To: Steve Grubb > Cc: <a href="javascript:;">linux-audit@redhat.com</a><mailto:<a href="javascript:;">linux-audit@redhat.com</a>>; Viswanath, Logeswari P (MCOU OSTL) > Subject: Re: Linux audit performance impact > > I agree with you... but writing to disk can trigger further events leading spiralling of events... > I brought down my server few times with stupid rules... > > On Wed, Jan 28, 2015 at 10:39 PM, Steve Grubb <<a href="javascript:;">sgrubb@redhat.com</a><mailto:<a href="javascript:;">sgrubb@redhat.com</a>>> wrote: > On Wednesday, January 28, 2015 10:18:47 AM Satish Chandra Kilaru wrote: > > Write your own program to receive audit events directly without using > > auditd... > > That should be faster .... > > Auditd will log the events to disk causing more I/o than u need... > > But even that is configurable in many ways. You can decide if you want logging > to disk or not and what kind of assurance that it made it to disk and the > priority of that audit daemon. Then you also have all the normal tuning knobs > for disk throughput that you would use for any disk performance critical > system. > > -Steve > > > On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) < > > > > <a href="javascript:;">logeswari.pv@hp.com</a><mailto:<a href="javascript:;">logeswari.pv@hp.com</a>>> wrote: > > > Hi Steve, > > > > > > I am Logeswari working for HP. > > > > > > > > > > > > We want to know audit performance impact on RHEL and Suse linux to help us > > > evaluate linux audit as data source for our host based IDS. > > > > > > When we ran our own performance test with a test audispd plugin, we found > > > if a system can perform 200000 open/close system calls per second without > > > auditing, system can perform only 3000 open/close system calls auditing is > > > enabled for open/close system call which is a HUGE impact on the system > > > performance. It would be great if anyone can help us answering the > > > following questions. > > > > > > > > > > > > 1) Is this performance impact expected? If yes, what is the reason > > > behind it and can we fix it? > > > > > > 2) Have anyone done any benchmarking for performance impact? If yes, > > > can you please share the numbers and also the steps/programs used the run > > > the same. > > > > > > 3) Help us validating the performance test we have done in our test > > > setup using the steps mentioned along with the results attached. > > > > > > > > > > > > Attached test program (loader.c) to invoke open and close system calls. > > > > > > Attached idskerndsp is the audispd plugin program. > > > > > > We used time command to determine how much time the system took to > > > complete 50000 open/close system calls without (results attached > > > Without-auditing) and with auditing enabled on the system > > > (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW) > > > > > > > > > > > > System details: > > > > > > > > > > > > 1 CPU machine > > > > > > > > > > > > *OS Version* > > > > > > RHEL 6.5 > > > > > > > > > > > > *Kernel Version* > > > > > > uname –r > > > > > > 2.6.32-431.el6.x86_64 > > > > > > > > > > > > Note: auditd was occupying 35% of CPU and was sleeping for most of the > > > time whereas kauditd was occupying 20% of the CPU. > > > > > > > > > > > > Thanks & Regards, > > > > > > Logeswari. > > > > -- > Please Donate to <a href="http://www.wikipedia.org" target="_blank">www.wikipedia.org</a><<a href="http://www.wikipedia.org" target="_blank">http://www.wikipedia.org</a>> > -- > Linux-audit mailing list > <a href="javascript:;">Linux-audit@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a> - RGB -- Richard Guy Briggs <<a href="javascript:;">rbriggs@redhat.com</a>> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545<o:p></o:p> </blockquote> </div> -- Please Donate to <a href="http://www.wikipedia.org">www.wikipedia.org</a><o:p></o:p> </div> </body> </html>