t148548@telefon Absent Member.
Absent Member.
209 views

Solaris 10 BSM (Intel) PRAudit

We have problems in Intel machine running Solaris 10 with BSM configured. The praudit process takes a long time to convert binary to ASCII files. The result is overlapping praudit process and the machine resoruces are exhausted.

We have the same configuration in SPARC machine running Solaris 10 with BSM configured and this problem does not appear.

We have installed SmartConnector™ for Solaris Basic Security Module

Anyone had this problem?

Labels (1)
0 Likes
Reply
6 Replies
t148548@telefon Absent Member.
Absent Member.

Re: Solaris 10 BSM (Intel) PRAudit

Sorry. I forgot an important detail: The Smartconnector for Solaris BSM is installed in an external machine (Solaris SPARC).In the SPARC machine we receive the ASCII files coming from the INTEL machine

0 Likes
Reply
katzmandu1 Absent Member.
Absent Member.

Re: Solaris 10 BSM (Intel) PRAudit

The issue is with the execution time of praudit on the Solaris/x86 system. So the trick would be to have it run more frequently, so it's decoding/decompiling less binary data per run and can complete faster, without overlapping. That's one place to start.

Another trick is that IO could be slowing you down. praudit reads a file from the bowls of /var/ ... but where is it putting the output? It should probably write it to a text file on another filesystem or shared directory that is on a different spindle than the binary data. Othewise you're reading/writing to the same physical disk at the same time, making things slow.

0 Likes
Reply
babimorosos1 Absent Member.
Absent Member.

Re: Solaris 10 BSM (Intel) PRAudit

Hi,
I am a coworker of Lorenzo. We have the problem that on some machines the praudit process drags on time. I show an example below:


bash-3.2# df -kh
Filesystem             size   used  avail capacity  Mounted on
/dev/dsk/c0t0d0s0      9.6G   2.7G   6.8G    29%    /
/devices                 0K     0K     0K     0%    /devices
ctfs                     0K     0K     0K     0%    /system/contract
proc                     0K     0K     0K     0%    /proc
mnttab                   0K     0K     0K     0%    /etc/mnttab
swap                    14G   840K    14G     1%    /etc/svc/volatile
objfs                    0K     0K     0K     0%    /system/object
sharefs                  0K     0K     0K     0%    /etc/dfs/sharetab
/usr/lib/libc/libc_hwcap1.so.1
                       9.6G   2.7G   6.8G    29%    /lib/libc.so.1
fd                       0K     0K     0K     0%    /dev/fd
/dev/dsk/c0t0d0s4      125G    41G    83G    34%    /var
swap                    14G    52M    14G     1%    /tmp
swap                    14G    16K    14G     1%    /var/run
/dev/dsk/c0t0d0s5      125G   2.2G   122G     2%    /export/home

bash-3.2# pwd
/export/home/user1/test/


bash-3.2# ./measuringtime.sh
total 2
-rwxr-xr-x   1 root     root         362 Jan 14 10:30 measuringtime.sh
    root  3128  3125   0 10:30:24 pts/333     0:00 grep prau
STEP 1
real    0m3.820s
user    0m0.169s
sys     0m0.080s
STEP 2
real    65m39.885s
user    0m27.254s
sys     0m27.549s
STEP 3
real    76m35.646s
user    0m27.728s
sys     0m28.713s
STEP 4
real    63m29.980s
user    0m26.401s
sys     0m26.521s
total 117362
-rwxr-xr-x   1 root     root         362 Jan 14 10:30 measuringtime.sh
-rw-r--r--   1 root     root        7.1M Jan 14 10:31 file_reduced
-rw-r--r--   1 root     root         20M Jan 14 11:36 filetext1
-rw-r--r--   1 root     root         11M Jan 14 12:53 filetext2
-rw-r--r--   1 root     root         20M Jan 14 13:57 filetext3
bash-3.2#


######################### SCRIPT measuringtime.sh
#!/bin/bash
ls -lrth

ps -ef | grep prau
echo "STEP 1"
time auditreduce -d 20140114 /var/audit/*20140114030000* > file_reduced
echo "STEP 2"
time cat file_reduced| praudit -x > filetext1
echo "STEP 3"
time cat file_reduced| praudit -l > filetext2
echo "STEP 4"
time cat file_reduced| praudit -x -l > filetext3
ls –lrth

######################################

I have monitored the cpu and writing the hard disk and are normal with 70% idle.

0 Likes
Reply
katzmandu1 Absent Member.
Absent Member.

Re: Solaris 10 BSM (Intel) PRAudit

Great stats; that's amazing.

I'd want you to try running "STEP 2" again, except instead of > filetext1 go to > /dev/null

... that will prove whether it's IO bound or CPU bound.

If it is IO bound it may be faster to write the output to a second drive or USB stick. If it's CPU bound, the other option would be to do the praudit commands on another host that is faster.

0 Likes
Reply
babimorosos1 Absent Member.
Absent Member.

Re: Solaris 10 BSM (Intel) PRAudit

Hi, after changes:

bash-3.2# ./measuringtime.sh
total 41122
-rw-------   1 root     root         10M Jan 22 16:31 20140122030000.not_terminated.gestip3
-rw-r--r--   1 root     root         10M Jan 22 16:31 file_reduced
-rwxr-xr-x   1 root     root         323 Jan 22 16:31 measuringtime.sh
    root 10746 10743   0 09:44:39 pts/261     0:00 grep praudit
STEP 1
STEP 2

real    68m14.597s
user    0m35.506s
sys     0m29.582s
STEP 3

real    63m56.336s
user    0m35.543s
sys     0m29.693s
STEP 4

real    67m28.542s
user    0m35.640s
sys     0m29.660s
total 41122
-rw-------   1 root     root         10M Jan 22 16:31 20140122030000.not_terminated.gestip3
-rw-r--r--   1 root     root         10M Jan 22 16:31 file_reduced
-rwxr-xr-x   1 root     root         323 Jan 22 16:31 measuringtime.sh

######################### SCRIPT measuringtime.sh

#!/bin/bash
ls -lrth

ps -ef | grep praudit
echo "STEP 1"
#time auditreduce -d 20140114 /var/audit/*20140122030000* > file_reduced
echo "STEP 2"
time cat file_reduced| praudit -x > /dev/null
echo "STEP 3"
time cat file_reduced| praudit -l > /dev/null
echo "STEP 4"
time cat file_reduced| praudit -x -l > /dev/null
ls -lrth

0 Likes
Reply
katzmandu1 Absent Member.
Absent Member.

Re: Solaris 10 BSM (Intel) PRAudit

OK, so it's not a file-writing or IO issue; it's just that praudit is taking its time in reading the files. Any way to copy the files to another host and run praudit on them there?

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.