BIG performance hit with auditd on large systems (>64 CPUs)

[Klaus Lichtenwalder]

Hi everybody

Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan <stephenwb at gmail.com>:
>Agree with Steve's suggestion re: "-S all". Also might help if you sort

I now know where -S all stems from... Some watches add a -S all by themselves... Probably created an audit.rules file by textually working from there and duplicating rules

>your rules to put all the ones with '-F auid>=400' below a single line
>rule
>like this:
>-a never,exit -F auid<400
>
>and remove the '-F auid>=400' from all of the rules below it.
>
...

I did this, and verified it, but there was absolutely no difference to unsorted rules having​ -S all also specified

Still cpu %system up to 50% and run time of jobs 100% longer. 
This was on a vm with 72 cpus

Klaus


-- 
Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten