overhead of auditd
Steve Grubb
sgrubb at redhat.com
Mon Jul 15 14:56:30 UTC 2019
On Monday, July 15, 2019 6:21:11 AM EDT 杨海 wrote:
> I ever read the document you wrote about laying IDS on top of auditd. And I
> suppose inotify could be lightweight for IDS. Any comment?
Yes, audit works fine for IDS work. But one would not audit all syscalls for
every program. That will kill your system. You have to be selective about
what you are auditing.
-Steve
> ------------------ Original ------------------
> From: "Steve Grubb"<sgrubb at redhat.com>;
> Date: Fri, Jul 12, 2019 08:14 PM
> To: "linux-audit"<linux-audit at redhat.com>;
> Cc: "杨海"<hai.yang at magic-shield.com>;
> Subject: Re: overhead of auditd
>
> Hello,
>
> On Thursday, July 11, 2019 11:23:45 PM EDT 杨海 wrote:
>
> > Turning on all system calls in audit.rules, and transferring a tar file
> > to the target system (CentOS 7, 4 cores), I found "auditd" consumes
> > high CPU usage. Is it expected?
>
> It would not be surprising. Some system calls have more overhead than
> others. So, depending on everything that is running, you can kill your
> system.
>
> > BTW, after turning write-logs off, and add dispatcher, both "audispd"
> > and "auditd" are consuming high CPU.
>
> They have a lot of events to handle.
More information about the Linux-audit
mailing list