[Aide] AIDE configuration taking too long

Keith Constable kccricket at gmail.com
Thu Aug 29 04:15:04 EEST 2013 

On 28 Aug 2013, at 8:53 PM, Mason Nakadomari <nakadoma at hawaii.edu> wrote:

> Hi my organization is not satisfied with the deafult aide configuration. We want to look at all the files in the root file system without excluding directories for security reasons. We know that certain directories will only be checked for certain attributes for example log files would not have mtime checked. However I have run a few configurations below scanning the whole root to see what attributes we can whittle down to produce a more efficient configuration and its taking an enormous amount of time.
> I'm using the below configuration.
> CUSTOMTEST1=p+i+u+g+m+acl+selinux+md5
> CUSTOMTEST2=p+i+u+g+s+n+m+acl+selinux
> These are on rhel 6 servers this is scanning the whole root.
> so for example
> @@ifhost test77
> / CUSTOMTEST1
> @@ifhost test77
> [root at aid70 /]# df -h
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/mapper/vg0-lvroot
>                        48G  3.1G   42G   7% /
> tmpfs                 937M     0  937M   0% /dev/shm
> /dev/sda1            1007M   67M  890M   7% /boot
> 
> The CUSTOMTEST1 config on aide.init continues to run after 3 days.
> The CUSTOMTEST2 config has been running for more than 30 hours.
> 
> We figured that the removal of a checksum would help performance but both are taking extremely long.
> Are we butting heads with something in the file system. Is it impossible to scan the entire root file system of a Red Hat server with Aide without running it for several days?
> I've checke dthere are no problems with memory or CPU usage.
> Any advice would be appreciated.
> We really need to get these times down ideally without taking out or excluding directories.
> Thank you.

Mason,

Is this during --init or --check? Though, neither one should take anywhere near that long on such little data.

If I were in your shoes, I would try running aide with the -V231 argument. It turns on just enough verbosity to show you what files it's working on without being overwhelming. You can go up to -V255 if you feel you need more info.

Regards,

Keith Constable



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2849 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20130828/63915157/attachment.bin

More information about the Aide mailing list