>>> your rules to put all the ones with '-F auid>=400' below a single >>> line rule >>> like this: >>> -a never,exit -F auid<400 >>> >>> and remove the '-F auid>=400' from all of the rules below it. >>> >> ... >> >> I did this, and verified it, but there was absolutely no difference >> to unsorted rules having​ -S all also specified >> >> Still cpu %system up to 50% and run time of jobs 100% longer. >> This was on a vm with 72 cpus >>
Just to give this story some kind of closure: we got a test kernel from $SUPPORT fixing a specifig bugzilla (which seems to be private) and %cpu system is in normal (low) ranges again. So thanks for your advices, they are still heeded! Klaus -- ------------------------------------------------------------------------ Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name/ PGP Key fingerprint: 3AE6 044D 1161 1ABF AC2D 23B3 4C15 7232 FDCA 0980 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
