LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (https://www.linuxquestions.org/questions/red-hat-31/)
-   -   AIDE performance hit on OS upgrade (https://www.linuxquestions.org/questions/red-hat-31/aide-performance-hit-on-os-upgrade-4175539143/)

oneeyeman1 04-08-2015 02:21 PM
AIDE performance hit on OS upgrade
 
Hi, ALL,
I'm a long time Linux user but at home I'm using Gentoo.
Recently I got hired as a developer and at work the company uses RedHat.

Now we are facing the following issue.

We are very close to the release of our software. And we use RedHat as an OS. One of the component of the OS image is AIDE tool.

The previous version of the software was shipped with the RedHat 5 which uses AIDE version 0.13.1. There was no problem at all.

The current version for the software will be shiopped with the RH 6 which uses AIDE version 0.14. Here we have following issue:

Right after the OS boot-up AIDE scan kicks in. The time frame for the AIDE tool to run differen significantly between those 2 releases/OSes. On RHEL 6 it takes 2-2.5 times longer than on RHEL 5. Now during the bootup process we scan only the system (critical) files. Looking at the critixcal database file size and compare between v5 and v6, I see the increase of just ~20%. This does not qiualify as the 2 times increase of the scan time.

I checked and the configuration files are the same in both cases. Nothing was changed.

I also checked the command line of the AIDE and we start the tool the same way on both RH5 and RH6.

Now we do use RH5 and RH6 as 32-bit OSes. However, when I tried to run:

Code:
/usr/sbin/aide --version
I see that the configuration parameters used are "WITH_LSTAT64" and "WITH_READDIR64". Now those configuration is the same on both RH5 and RH6. The only difference is RH6 AIDE was compiled without ZLIB and without PRELINK.

The scan runs right after the OS bots up and so nothing is running on the machine.

I tried to build the AIDE tool manually, but "configure throws an error saying I need the libgpg-error.a to be installed. Both libgpg-error and libgpg-error-devel packages are installed on the system.

Does anybody have an idea what might be the cause?

Thank you for any pointers you can give.

unSpawn 04-09-2015 05:45 PM
No idea what's causing it. I suggest you create a database with say just three files to check then run them on both OS versions using 'strace' with time stamping then compare results. A quick win could be replacing AIDE with Samhain as it's more efficient IMHO.

oneeyeman1 04-10-2015 12:56 PM
Hi,
Quote:
Originally Posted by unSpawn (Post 5345141)
No idea what's causing it. I suggest you create a database with say just three files to check then run them on both OS versions using 'strace' with time stamping then compare results. A quick win could be replacing AIDE with Samhain as it's more efficient IMHO.
Unfortunately we are stuck with AIDE (at least for now!).
I did run it under strace and sur[prisingly enough the most calls was done to the socket function (~2000).

I also turned off prelinking globally by editing /etc/sysconfig/prelink and then running /usr/sbin/prelink -ua, and re-run AIDE under strace. The number of socket calls was dropped by half.

So I guess the culprit is in the prelinking code of the AIDE. Now the problem is to convince our senior devs and management to try to rebuild the AIDE, redo the scan and fix the timing issue. ;-)

Thank you for the strace suggestion.


All times are GMT -5. The time now is 04:01 AM.