1

I'm installing (or about to install) audit as a solution to this problem: Is there a linux log for when a user is denied access to files due to permissions . I'm just wondering if there's a side effect to installing audit on a production environment. I'm also wondering if it would effect something like CloverETL?

Community
  • 1
StackOverflowed
  • 109
  • 4

1 Answers1

3

Installing auditd by itself is not a problem.
Most mission critical systems have it installed and running, however what you are going to try to do with it - could be a problem.
It all depends.

The post you referenced is going to add an audit rule which will track every open and openat system call in the system.
Depending on what's the load of your system - that's a lot of system calls.
See this information from RedHat https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

Where they have this note

enter image description here

Considering that ETL systems do work with lots of files (unless we are talking about lab) - you are looking at performance impact.
How big - it's hard to say.
It all depends on your work load.

  • Millions of small files versus thousands of big ones.
  • File processing frequency
  • Your hardware specs

I'd suggest to implement this rule in the lab and run a test load to determine if you are seeing any noticeable performance impact.

Dmitry Zayats
  • 1,378
  • 7
  • 7