Linux audit performance impact
Satish Chandra Kilaru
iam.kilaru at gmail.com
Wed Jan 28 15:18:47 UTC 2015
Write your own program to receive audit events directly without using
auditd...
That should be faster ....
Auditd will log the events to disk causing more I/o than u need...
On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) <
logeswari.pv at hp.com> wrote:
> Hi Steve,
>
>
>
> I am Logeswari working for HP.
>
>
>
> We want to know audit performance impact on RHEL and Suse linux to help us
> evaluate linux audit as data source for our host based IDS.
>
> When we ran our own performance test with a test audispd plugin, we found
> if a system can perform 200000 open/close system calls per second without
> auditing, system can perform only 3000 open/close system calls auditing is
> enabled for open/close system call which is a HUGE impact on the system
> performance. It would be great if anyone can help us answering the
> following questions.
>
>
>
> 1) Is this performance impact expected? If yes, what is the reason
> behind it and can we fix it?
>
> 2) Have anyone done any benchmarking for performance impact? If yes,
> can you please share the numbers and also the steps/programs used the run
> the same.
>
> 3) Help us validating the performance test we have done in our test
> setup using the steps mentioned along with the results attached.
>
>
>
> Attached test program (loader.c) to invoke open and close system calls.
>
> Attached idskerndsp is the audispd plugin program.
>
> We used time command to determine how much time the system took to
> complete 50000 open/close system calls without (results attached
> Without-auditing) and with auditing enabled on the system
> (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW)
>
>
>
> System details:
>
>
>
> 1 CPU machine
>
>
>
> *OS Version*
>
> RHEL 6.5
>
>
>
> *Kernel Version*
>
> uname –r
>
> 2.6.32-431.el6.x86_64
>
>
>
> Note: auditd was occupying 35% of CPU and was sleeping for most of the
> time whereas kauditd was occupying 20% of the CPU.
>
>
>
> Thanks & Regards,
>
> Logeswari.
>
>
>
>
>
--
Please Donate to www.wikipedia.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150128/0b6ce579/attachment.htm>
More information about the Linux-audit
mailing list