overhead of auditd
杨海
hai.yang at magic-shield.com
Mon Jul 15 10:21:11 UTC 2019
Hi Steve,
I ever read the document you wrote about laying IDS on top of auditd. And I suppose inotify could be lightweight for IDS. Any comment?
Best regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<sgrubb at redhat.com>;
Date: Fri, Jul 12, 2019 08:14 PM
To: "linux-audit"<linux-audit at redhat.com>;
Cc: "杨海"<hai.yang at magic-shield.com>;
Subject: Re: overhead of auditd
Hello,
On Thursday, July 11, 2019 11:23:45 PM EDT 杨海 wrote:
> Turning on all system calls in audit.rules, and transferring a tar file to
> the target system (CentOS 7, 4 cores), I found "auditd" consumes high CPU
> usage. Is it expected?
It would not be surprising. Some system calls have more overhead than others.
So, depending on everything that is running, you can kill your system.
> BTW, after turning write-logs off, and add dispatcher, both "audispd" and
> "auditd" are consuming high CPU.
They have a lot of events to handle.
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190715/54a7f19e/attachment.htm>
More information about the Linux-audit
mailing list