Linux audit performance impact

Satish Chandra Kilaru iam.kilaru at gmail.com
Thu Jan 29 03:41:34 UTC 2015 

I agree with you... but writing to disk can trigger further events leading
spiralling of events...
I brought down my server few times with stupid rules...

On Wed, Jan 28, 2015 at 10:39 PM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Wednesday, January 28, 2015 10:18:47 AM Satish Chandra Kilaru wrote:
> > Write your own program to receive audit events directly without using
> > auditd...
> > That should be faster ....
> > Auditd will log the events to disk causing more I/o than u need...
>
> But even that is configurable in many ways. You can decide if you want
> logging
> to disk or not and what kind of assurance that it made it to disk and the
> priority of that audit daemon. Then you also have all the normal tuning
> knobs
> for disk throughput that you would use for any disk performance critical
> system.
>
> -Steve
>
> > On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) <
> >
> > logeswari.pv at hp.com> wrote:
> > >  Hi Steve,
> > >
> > > I am Logeswari working for HP.
> > >
> > >
> > >
> > > We want to know audit performance impact on RHEL and Suse linux to
> help us
> > > evaluate linux audit as data source for our host based IDS.
> > >
> > > When we ran our own performance test with a test audispd plugin, we
> found
> > > if a system can perform 200000 open/close system calls per second
> without
> > > auditing, system can perform only 3000 open/close system calls
> auditing is
> > > enabled for open/close system call which is a HUGE impact on the system
> > > performance. It would be great if anyone can help us answering the
> > > following questions.
> > >
> > >
> > >
> > > 1)      Is this performance impact expected? If yes, what is the reason
> > > behind it and can we fix it?
> > >
> > > 2)      Have anyone done any benchmarking for performance impact? If
> yes,
> > > can you please share the numbers and also the steps/programs used the
> run
> > > the same.
> > >
> > > 3)      Help us validating the performance test we have done in our
> test
> > > setup using the steps mentioned along with the results attached.
> > >
> > >
> > >
> > > Attached test program (loader.c) to invoke open and close system calls.
> > >
> > > Attached idskerndsp is the audispd plugin program.
> > >
> > > We used time command to determine how much time the system took to
> > > complete 50000 open/close system calls without (results attached
> > > Without-auditing) and with auditing enabled on the system
> > > (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW)
> > >
> > >
> > >
> > > System details:
> > >
> > >
> > >
> > > 1 CPU machine
> > >
> > >
> > >
> > > *OS Version*
> > >
> > > RHEL 6.5
> > >
> > >
> > >
> > > *Kernel Version*
> > >
> > > uname –r
> > >
> > > 2.6.32-431.el6.x86_64
> > >
> > >
> > >
> > > Note: auditd was occupying 35% of CPU and was sleeping for most of the
> > > time whereas kauditd was occupying 20% of the CPU.
> > >
> > >
> > >
> > > Thanks & Regards,
> > >
> > > Logeswari.
>



-- 
Please Donate to www.wikipedia.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150128/97dd3f59/attachment.htm>

More information about the Linux-audit mailing list