Am 19. Mai 2017 23:00:24 MESZ schrieb Steve Grubb <[email protected]>: >On Friday, May 19, 2017 4:22:24 PM EDT Klaus Lichtenwalder wrote: .. >> These are the audit rules: >> auditctl -l >> -a always,exit -S all -F path=/etc/environment -F perm=wa -F >auid>=400 -F >> key=CRIT_CONF > >Clipped all the other rules. Out of curiosity, why do you include -S >all in >every rule? That will automatically send the syscall into the syscall >rules >which affects the performance of every single syscall in every single >application. The majority of your rules are file watches which >generally takes >a different route that is more efficient. > >To fix this, just remove "-S all" in every rule. I bet it works much >better >after that. > >-Steve
Hi Steve, Actually, I can't tell where this originated... Somehow this got included somehow sometimes, and probably all other rules copied that. Will check in Monday, as nobody is available to start those jobs this weekend Thanks Klaus -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
