[Aide] AIDE configuration taking too long
Mason Nakadomari
nakadoma at hawaii.edu
Thu Aug 29 03:53:01 EEST 2013
Hi my organization is not satisfied with the deafult aide configuration. We
want to look at all the files in the root file system without excluding
directories for security reasons. We know that certain directories will
only be checked for certain attributes for example log files would not have
mtime checked. However I have run a few configurations below scanning the
whole root to see what attributes we can whittle down to produce a more
efficient configuration and its taking an enormous amount of time.
I'm using the below configuration.
CUSTOMTEST1=p+i+u+g+m+acl+selinux+md5
CUSTOMTEST2=p+i+u+g+s+n+m+acl+selinux
These are on rhel 6 servers this is scanning the whole root.
so for example
@@ifhost test77
/ CUSTOMTEST1
@@ifhost test77
[root at aid70 /]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg0-lvroot
48G 3.1G 42G 7% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 1007M 67M 890M 7% /boot
The CUSTOMTEST1 config on aide.init continues to run after 3 days.
The CUSTOMTEST2 config has been running for more than 30 hours.
We figured that the removal of a checksum would help performance but both
are taking extremely long.
Are we butting heads with something in the file system. Is it impossible to
scan the entire root file system of a Red Hat server with Aide without
running it for several days?
I've checke dthere are no problems with memory or CPU usage.
Any advice would be appreciated.
We really need to get these times down ideally without taking out or
excluding directories.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130828/29a538f5/attachment-0001.html
More information about the Aide
mailing list