Hi everybody Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan <[email protected]>: >Agree with Steve's suggestion re: "-S all". Also might help if you sort
I now know where -S all stems from... Some watches add a -S all by themselves... Probably created an audit.rules file by textually working from there and duplicating rules >your rules to put all the ones with '-F auid>=400' below a single line >rule >like this: >-a never,exit -F auid<400 > >and remove the '-F auid>=400' from all of the rules below it. > ... I did this, and verified it, but there was absolutely no difference to unsorted rules having -S all also specified Still cpu %system up to 50% and run time of jobs 100% longer. This was on a vm with 72 cpus Klaus -- Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
