On Tue, Mar 1, 2016 at 4:25 PM, Burn Alting <[email protected]> wrote: > Steve, Paul, > > I have yet to put together a bug report, or researched to see if the > problem exists upstream, but have discovered recursive directory rules > can be expensive on the kernel. The rules below on a system running > rabbitmq can see get_task_cred and audit_filter_rules above 10% each. > > -w /etc/pam.d -p wa -k PAM_Mods > -w /boot -k BOOT_Mods > -w /boot/grub/grub.conf -p war -k BOOT_Mods > -w /etc/security -p wa -k Security_Mods > -w /etc/sysconfig -p wa -k Sysconfig_Mods > -w /etc/ld.so.conf.d -p wa -k Library_Mods > -w /etc/inittab -p wa -k StartUp_Mods > -w /etc/rc.d -p wa -k StartUp_Mods
Some of the work that Richard did with fsnotify for audit-by-exec could be used to help make filesystem watches much more efficient, especially the case where you are watching a lot of files in a common directory. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
