Does the Inotifywait process increase the server load? Change Inotify to AuditD

You are here:
Estimated reading time: 1 min
Inotify is the Malware Detection module’s filesystem monitoring tool. It detects if a file has been uploaded to the server or has been modified and triggers the Malware Detection module to check the file.

– If there are a lot of file changes or uploads on the server constantly Inotify might increase the server’s load
– AuditD requires much less resource on the server and it is also faster than Inotify

Check if AuditD can be used

  1. start AuditD temporally with this command:
    bitninjacli --module=MalwareDetection --use-auditd
  2. Check if the necessary AuditD rules are generated. You can do that with auditctl -l
  3. AuditD will log to the same file so you can check if AuditD is running with tail -f /var/log/bitninja/inotify/inotify.log

Enable AuditD permanently

To enable AuditD permanently you just need to modify the Malware detection module’s config file:

  1. Open /etc/bitninja/MalwareDetection/config.ini with a preferred text editor
    e.g.: nano /etc/bitninja/MalwareDetection/config.ini
  2. Find the [FileSystemMonitor] flag in the file
    1. e.g.: in nano press ctrl + w and then type in “[File”
  3. Replace the code block on the screenshot with the lines below. Or delete the lower four line’s semicolons and change the order of the monitor_order[] lines so 'auditd' will be the first
  4. Save the changes and exit from the text editor
    1. e.g.: in nano press ctrl + x then press y and then press enter
  5. Restart BitNinja with service bitninja restart command
monitor_type = 'auditd'
monitor_order[] = 'auditd'
monitor_order[] = 'inotify'
monitor_order[] = 'nullMonitor'

Views: 1214