Re: Linux audit performance impact

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Viswanath, Logeswari P (MCOU OSTL)" <logeswari.pv@hp.com>
Subject: Re: Linux audit performance impact
Date: Wed, 28 Jan 2015 22:39:52 -0500	[thread overview]
Message-ID: <2570512.tu3C9iW5N2@x2> (raw)
In-Reply-To: <CAAnai+W5WWJ1n=s1ojODH92AeU81jR44fqNHLz+d2zyyHkjG=A@mail.gmail.com>

On Wednesday, January 28, 2015 10:18:47 AM Satish Chandra Kilaru wrote:
> Write your own program to receive audit events directly without using
> auditd...
> That should be faster ....
> Auditd will log the events to disk causing more I/o than u need...

But even that is configurable in many ways. You can decide if you want logging 
to disk or not and what kind of assurance that it made it to disk and the 
priority of that audit daemon. Then you also have all the normal tuning knobs 
for disk throughput that you would use for any disk performance critical 
system.

-Steve

> On Wednesday, January 28, 2015, Viswanath, Logeswari P (MCOU OSTL) <
> 
> logeswari.pv@hp.com> wrote:
> >  Hi Steve,
> > 
> > I am Logeswari working for HP.
> > 
> > 
> > 
> > We want to know audit performance impact on RHEL and Suse linux to help us
> > evaluate linux audit as data source for our host based IDS.
> > 
> > When we ran our own performance test with a test audispd plugin, we found
> > if a system can perform 200000 open/close system calls per second without
> > auditing, system can perform only 3000 open/close system calls auditing is
> > enabled for open/close system call which is a HUGE impact on the system
> > performance. It would be great if anyone can help us answering the
> > following questions.
> > 
> > 
> > 
> > 1)      Is this performance impact expected? If yes, what is the reason
> > behind it and can we fix it?
> > 
> > 2)      Have anyone done any benchmarking for performance impact? If yes,
> > can you please share the numbers and also the steps/programs used the run
> > the same.
> > 
> > 3)      Help us validating the performance test we have done in our test
> > setup using the steps mentioned along with the results attached.
> > 
> > 
> > 
> > Attached test program (loader.c) to invoke open and close system calls.
> > 
> > Attached idskerndsp is the audispd plugin program.
> > 
> > We used time command to determine how much time the system took to
> > complete 50000 open/close system calls without (results attached
> > Without-auditing) and with auditing enabled on the system
> > (With-auditing-NOLOG-audispd-plugin and With-auditing-RAW)
> > 
> > 
> > 
> > System details:
> > 
> > 
> > 
> > 1 CPU machine
> > 
> > 
> > 
> > *OS Version*
> > 
> > RHEL 6.5
> > 
> > 
> > 
> > *Kernel Version*
> > 
> > uname –r
> > 
> > 2.6.32-431.el6.x86_64
> > 
> > 
> > 
> > Note: auditd was occupying 35% of CPU and was sleeping for most of the
> > time whereas kauditd was occupying 20% of the CPU.
> > 
> > 
> > 
> > Thanks & Regards,
> > 
> > Logeswari.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit