On Tue, May 30, 2017 at 2:17 PM, Klaus Lichtenwalder
wrote:
your rules to put all the ones with '-F auid>=400' below a single
line rule
like this:
-a never,exit -F auid<400
and remove the '-F auid>=400' from all of the rules below it.
>>> ...
>>>
>>> I did this,
>>> your rules to put all the ones with '-F auid>=400' below a single
>>> line rule
>>> like this:
>>> -a never,exit -F auid<400
>>>
>>> and remove the '-F auid>=400' from all of the rules below it.
>>>
>> ...
>>
>> I did this, and verified it, but there was absolutely no difference
>> to unsorte
Am 23. Mai 2017 14:51:29 MESZ schrieb Steve Grubb :
>Hello,
>
>On Tue, 23 May 2017 11:05:18 +0200
>Klaus Lichtenwalder wrote:
>> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
>> :
>> >Agree with Steve's suggestion re: "-S all". Also might help if you
>> >sort
>>
>> I now know where -S
Hello,
On Tue, 23 May 2017 11:05:18 +0200
Klaus Lichtenwalder wrote:
> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
> :
> >Agree with Steve's suggestion re: "-S all". Also might help if you
> >sort
>
> I now know where -S all stems from... Some watches add a -S all by
> themselves...
Hi everybody
Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan :
>Agree with Steve's suggestion re: "-S all". Also might help if you sort
I now know where -S all stems from... Some watches add a -S all by
themselves... Probably created an audit.rules file by textually working from
there an
Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan :
>Agree with Steve's suggestion re: "-S all". Also might help if you sort
>your rules to put all the ones with '-F auid>=400' below a single line
>rule
>like this:
>-a never,exit -F auid<400
>
>and remove the '-F auid>=400' from all of the rul
Agree with Steve's suggestion re: "-S all". Also might help if you sort
your rules to put all the ones with '-F auid>=400' below a single line rule
like this:
-a never,exit -F auid<400
and remove the '-F auid>=400' from all of the rules below it.
Like so:
-a always,exit -F arch=b64 -S execve -F a
On Fri, May 19, 2017 at 2:52 PM, Klaus Lichtenwalder
wrote:
> Hi,
>
> we have a few SAP systems on RHEV (so virtualized on KVM) with >= 74
> CPUs and >= 400G RAM.
> When the system is busy with large SAP jobs, it goes onto its knees with
> cpu %system up to 80%, thus making the SAP jobs run twice
Hi,
we have a few SAP systems on RHEV (so virtualized on KVM) with >= 74
CPUs and >= 400G RAM.
When the system is busy with large SAP jobs, it goes onto its knees with
cpu %system up to 80%, thus making the SAP jobs run twice as long. As
soon as you stop auditd everything returns to normal...
Fac
