From mboxrd@z Thu Jan 1 00:00:00 1970 From: Satish Chandra Kilaru Subject: Re: Linux audit performance impact Date: Wed, 28 Jan 2015 10:18:47 -0500 Message-ID: References: <9DBA79E0CE64AA42B07DEDAAD0F7DB9141659CA2@G4W3222.americas.hpqcorp.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1924924659599012694==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t0SFJ2Ik010170 for ; Wed, 28 Jan 2015 10:19:03 -0500 Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0SFIlP0007858 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Wed, 28 Jan 2015 10:18:48 -0500 Received: by mail-qa0-f53.google.com with SMTP id n4so16552062qaq.12 for ; Wed, 28 Jan 2015 07:18:47 -0800 (PST) In-Reply-To: <9DBA79E0CE64AA42B07DEDAAD0F7DB9141659CA2@G4W3222.americas.hpqcorp.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Viswanath, Logeswari P (MCOU OSTL)" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============1924924659599012694== Content-Type: multipart/alternative; boundary=001a11c2523e4cc041050db7e31a --001a11c2523e4cc041050db7e31a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Write your own program to receive audit events directly without using auditd... That should be faster .... Auditd will log the events to disk causing more I/o than u need... On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) < logeswari.pv@hp.com> wrote: > Hi Steve, > > > > I am Logeswari working for HP. > > > > We want to know audit performance impact on RHEL and Suse linux to help u= s > evaluate linux audit as data source for our host based IDS. > > When we ran our own performance test with a test audispd plugin, we found > if a system can perform 200000 open/close system calls per second without > auditing, system can perform only 3000 open/close system calls auditing i= s > enabled for open/close system call which is a HUGE impact on the system > performance. It would be great if anyone can help us answering the > following questions. > > > > 1) Is this performance impact expected? If yes, what is the reason > behind it and can we fix it? > > 2) Have anyone done any benchmarking for performance impact? If yes, > can you please share the numbers and also the steps/programs used the run > the same. > > 3) Help us validating the performance test we have done in our test > setup using the steps mentioned along with the results attached. > > > > Attached test program (loader.c) to invoke open and close system calls. > > Attached idskerndsp is the audispd plugin program. > > We used time command to determine how much time the system took to > complete 50000 open/close system calls without (results attached > Without-auditing) and with auditing enabled on the system > (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW) > > > > System details: > > > > 1 CPU machine > > > > *OS Version* > > RHEL 6.5 > > > > *Kernel Version* > > uname =E2=80=93r > > 2.6.32-431.el6.x86_64 > > > > Note: auditd was occupying 35% of CPU and was sleeping for most of the > time whereas kauditd was occupying 20% of the CPU. > > > > Thanks & Regards, > > Logeswari. > > > > > --=20 Please Donate to www.wikipedia.org --001a11c2523e4cc041050db7e31a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Write your own program to receive audit events directly without using audit= d...=C2=A0
That should be faster ....
Auditd will log the eve= nts to disk causing more I/o than u need...

On Wednesda= y, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) <logeswari.pv@hp.com> wrote:

Hi Steve,

=C2=A0

I am Logeswari working for HP.

=C2=A0

We want to know audit performance impact on RHEL and= Suse linux to help us evaluate linux audit as data source for our host bas= ed IDS.

When we ran our own performance test with a test aud= ispd plugin, we found if a system can perform 200000 open/close system call= s per second without auditing, system can perform only 3000 open/close syst= em calls auditing is enabled for open/close system call which is a HUGE impact on the system performance. It would be = great if anyone can help us answering the following questions.

=C2=A0

1)= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Is this performance impact expected? If yes, what is t= he reason behind it and can we fix it?

2)= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Have anyone done any benchmarking for performance impa= ct? If yes, can you please share the numbers and also the steps/programs us= ed the run the same.

3)= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Help us validating the performance test we have done i= n our test setup using the steps mentioned along with the results attached.=

=C2=A0

Attached test program (loader.c) to invoke open and = close system calls.

Attached idskerndsp is the audispd plugin program.

We used time command to determine how much time the = system took to complete 50000 open/close system calls without (results atta= ched Without-auditing) and with auditing enabled on the system (With-auditi= ng-NOLOG-audispd-plugin and With-auditing-RAW)

=C2=A0

System details:

=C2=A0

1 CPU machine

=C2=A0

OS Version

RHEL 6.5

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=

Kernel Version

uname =E2=80=93r

2.6.32-431.el6.x86_64

=C2=A0

Note: auditd was occupying 35% of CPU and was sleepi= ng for most of the time whereas kauditd was occupying 20% of the CPU.

=C2=A0

Thanks & Regards,

Logeswari.

=C2=A0

=C2=A0



--
Please Donate to www.wikipedia.org
--001a11c2523e4cc041050db7e31a-- --===============1924924659599012694== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1924924659599012694==--