[Aide] AIDE configuration taking too long

Mason Nakadomari nakadoma at hawaii.edu
Thu Aug 29 04:37:06 EEST 2013 

Thank you for the response. I am running aide.init. Yeah we thought it was
strange given its only 50 gigs in root. I'll try that. We feel that it must
be getting stuck somewhere. But even running on different machines doesn't
work.
On Aug 28, 2013 3:17 PM, "Keith Constable" <kccricket at gmail.com> wrote:

On 28 Aug 2013, at 8:53 PM, Mason Nakadomari <nakadoma at hawaii.edu> wrote:

> Hi my organization is not satisfied with the deafult aide configuration.
We want to look at all the files in the root file system without excluding
directories for security reasons. We know that certain directories will
only be checked for certain attributes for example log files would not have
mtime checked. However I have run a few configurations below scanning the
whole root to see what attributes we can whittle down to produce a more
efficient configuration and its taking an enormous amount of time.
> I'm using the below configuration.
> CUSTOMTEST1=p+i+u+g+m+acl+selinux+md5
> CUSTOMTEST2=p+i+u+g+s+n+m+acl+selinux
> These are on rhel 6 servers this is scanning the whole root.
> so for example
> @@ifhost test77
> / CUSTOMTEST1
> @@ifhost test77
> [root at aid70 /]# df -h
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/mapper/vg0-lvroot
>                        48G  3.1G   42G   7% /
> tmpfs                 937M     0  937M   0% /dev/shm
> /dev/sda1            1007M   67M  890M   7% /boot
>
> The CUSTOMTEST1 config on aide.init continues to run after 3 days.
> The CUSTOMTEST2 config has been running for more than 30 hours.
>
> We figured that the removal of a checksum would help performance but both
are taking extremely long.
> Are we butting heads with something in the file system. Is it impossible
to scan the entire root file system of a Red Hat server with Aide without
running it for several days?
> I've checke dthere are no problems with memory or CPU usage.
> Any advice would be appreciated.
> We really need to get these times down ideally without taking out or
excluding directories.
> Thank you.

Mason,

Is this during --init or --check? Though, neither one should take anywhere
near that long on such little data.

If I were in your shoes, I would try running aide with the -V231 argument.
It turns on just enough verbosity to show you what files it's working on
without being overwhelming. You can go up to -V255 if you feel you need
more info.

Regards,

Keith Constable




_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130828/c7a8347b/attachment.html

More information about the Aide mailing list