Hi Steve,
I ever read the document you wrote about laying IDS on top of auditd. And I
suppose inotify could be lightweight for IDS. Any comment?
Best regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<[email protected]>;
Date: Fri, Jul 12, 2019 08:14 PM
To: "linux-audit"<[email protected]>;
Cc: "杨海"<[email protected]>;
Subject: Re: overhead of auditd
Hello,
On Thursday, July 11, 2019 11:23:45 PM EDT 杨海 wrote:
> Turning on all system calls in audit.rules, and transferring a tar file to
> the target system (CentOS 7, 4 cores), I found "auditd" consumes high CPU
> usage. Is it expected?
It would not be surprising. Some system calls have more overhead than others.
So, depending on everything that is running, you can kill your system.
> BTW, after turning write-logs off, and add dispatcher, both "audispd" and
> "auditd" are consuming high CPU.
They have a lot of events to handle.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
