Hello, On Tue, 23 May 2017 11:05:18 +0200 Klaus Lichtenwalder <[email protected]> wrote: > Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan > <[email protected]>: > >Agree with Steve's suggestion re: "-S all". Also might help if you > >sort > > I now know where -S all stems from... Some watches add a -S all by > themselves... Probably created an audit.rules file by textually > working from there and duplicating rules
What is the source of your rules listed? Is it coming from auditctl -l or from /etc/audit/audit.rules? There were a couple releases of auditctl where I think -S all may have been added but if I remember it was fixed a few releases later. The rules that come from disk would be more accurate. -Steve > >your rules to put all the ones with '-F auid>=400' below a single > >line rule > >like this: > >-a never,exit -F auid<400 > > > >and remove the '-F auid>=400' from all of the rules below it. > > > ... > > I did this, and verified it, but there was absolutely no difference > to unsorted rules having​ -S all also specified > > Still cpu %system up to 50% and run time of jobs 100% longer. > This was on a vm with 72 cpus > > Klaus > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
