overhead of auditd
F Rafi
farhanible at gmail.com
Mon Jul 15 12:29:25 UTC 2019
You can enable the syscalls that you think will be helpful from an IDS
perspective.
There are also other downstream tools like goaudit and OSS kernel modules
like sysdig falco (not related to auditd) which may be able to simplify
things for you.
Farhan
On Mon, Jul 15, 2019 at 6:25 AM 杨海 <hai.yang at magic-shield.com> wrote:
> Hi Steve,
>
> I ever read the document you wrote about laying IDS on top of auditd. And
> I suppose inotify could be lightweight for IDS. Any comment?
>
> Best regards
> Hai
>
>
> ------------------ Original ------------------
> *From: * "Steve Grubb"<sgrubb at redhat.com>;
> *Date: * Fri, Jul 12, 2019 08:14 PM
> *To: * "linux-audit"<linux-audit at redhat.com>;
> *Cc: * "杨海"<hai.yang at magic-shield.com>;
> *Subject: * Re: overhead of auditd
>
> Hello,
>
> On Thursday, July 11, 2019 11:23:45 PM EDT 杨海 wrote:
> > Turning on all system calls in audit.rules, and transferring a tar file
> to
> > the target system (CentOS 7, 4 cores), I found "auditd" consumes high CPU
> > usage. Is it expected?
>
> It would not be surprising. Some system calls have more overhead than
> others.
> So, depending on everything that is running, you can kill your system.
>
> > BTW, after turning write-logs off, and add dispatcher, both "audispd" and
> > "auditd" are consuming high CPU.
>
> They have a lot of events to handle.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190715/521690ad/attachment.htm>
More information about the Linux-audit
mailing list