Is there any system performence penalty to enable auditing ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5

Issue

  • Is there any system performence penalty to enable auditing
  • Is there any alternatives to audit to trace a killer, that have less impact on system performance to trace killer?

Resolution

  • In order to trace the event before happening, the only way is setting the audit rule.
  • If using 64 bit softwares in the system, and kill is the only syscall that is killing your process then the correct rule should be:
# /sbin/auditctl -a exit,always -F arch=b64 -S kill -S tkill -S tgkill -F a1=10 -k signal10
  • Adding a rule for both 32 bit and 64 bit is likely to add overhead without any benefit considering performance of the system.
  • If system is running both 32 bit and 64 bit compiled processes, add audit rule for both.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.