Does the Inotifywait process increase the server load? Change Inotify to AuditD

You are here:
Estimated reading time: 1 min
Inotify is the Malware Detection module’s filesystem monitoring tool. It detects if a file has been uploaded to the server or has been modified and triggers the Malware Detection module to check the file.

– If there are a lot of file changes or uploads on the server constantly Inotify might increase the server’s load
– AuditD requires much less resource on the server and it is also faster than Inotify

Since BitNinja version 3.10.25, the default File Monitoring System tool is auditd on new installations.

Check if AuditD can be used

  1. To start AuditD temporally with this command:
    bitninjacli --module=MalwareDetection --use-auditd
  2. Check if the necessary AuditD rules are generated. You can do that with auditctl -l
  3. AuditD will log to the same file so you can check if AuditD is running with tail -f /var/log/bitninja/inotify/inotify.log

AuditD on RPM distributions

If SELinux is enabled, AuditD File Monitoring System won’t be able to start. Because of this, please set SELinux to disabled in the /etc/selinux/config file and reboot your system.

sudo bash -c 'cat > /etc/selinux/config <<EOF
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
EOF'

Enable AuditD permanently

You can do this from the BitNinja dashboard from the Configuration menu. You can apply the changes explained below on a per-server basis or a server group’s level, or you can apply it to your whole account.

  1. Open the Configuration menu on your BitNinja dashboard.
  2. Select the setting level on the left side. (server-level, server group-level, account-level)
  3. Select the Malware Detection module.

  4. Scroll down and select the “Advanced settings” menu at the bottom.
  5. Change the File system monitor to auditd.
  6. Click on the Save button at the top of the page.
  7. Restart BitNinja with the service bitninja restart command.

Was this article helpful?
It was not helpful
Views: 1586