Why are we experiencing poor or slow performance? (NETIQKB33282)

  • Document ID:7733282
  • Creation Date:02-Feb-2007
  • Modified Date:24-May-2007
    • Micro Focus Products:
      Security Manager

Resolution

goal
Why are we experiencing poor or slow performance?

goal
How can we improve performance?

fact
NetIQ Security Agent for Unix 5.5

fact
VigilEnt Security Agent for Unix 5.0

fact
Security Manager 4.50

fact
Security Manager 5.X

fact
NetIQ Vulnerability Manager 5.0

fact
NetIQ Vulnerability Manager 5.5

symptom
Performance of the Unix Detect Watchdog is poor or slow.

symptom
Performance of the Security Manager is poor or slow.

symptom
Performance of the Vulnerability Manager is poor or slow.

cause

Performance of the Detect Watchdog impacts the performance of the products that rely on it, including:

  • Security Manager
  • Vulnerability Manager

 Performance of the Detect Watchdog is dependent on many factors, including the following:

  • Number of rule groups
  • Number of active rules that exist in the rule set
  • Number of objects that are continuously checked
  • Length of time the Detect Watchdog waits between processing batches of objects
  • Number of objects in a batch
  • Percentage of CPU cycles that are reserved for processing events


fix

Response of the Detect Watchdog is a trade-off between rule processing speed and CPU resource utilization. For example, decreasing the delay that the Detect Watchdog waits between checking batches of objects speeds up the time it takes to process rules, but it also increases the CPU load on your agent computers.

By default, the relevant parameters are set to mitigate the CPU load by waiting a few seconds between processing small batches of objects and by assigning average CPU priority to processing rules. These default parameters may not be suitable for all environments, especially if the Detect Watchdog response is slow and you are willing to trade CPU resources for faster response. Fine-tuning the Detect Watchdog may also improve the response of NetIQ products that rely on it, such as Security Manager and Vulnerability Manager.

Increasing Response of the Unix Detect Watchdog

The following topics help you fine-tune the Detect Watchdog for improved response:

  1. Remove unnecessary or resource intensive rule groups
  2. Decrease the delay values
  3. Limit the number of files that are checked by the filesystem rule group
  4. Increase the maximum number of objects
  5. Disable unnecessary rules
  6. Decrease the nice values

These topics are arranged from most beneficial to least beneficial. That is, removing unnecessary or resource intensive rule groups is generally more effective than disabling rules within a rule group or decreasing the nice value.

All of the following topics assume that the Unix Manager is running with a rule set open in the Rules Manager. For more information about using the Rules Manager, see the Unix Agent Installation and Configuration Guide.

1. Removing Unnecessary or Resource Intensive Rule Groups

Depending on the configuration of your Unix environments, some rule groups may not be necessary. For example, the paact rule group parses the process accounting log file for events. If the process accounting module is disabled, or if your Unix distribution does not support process accounting, remove this rule group completely. Removing a rule group completely eliminates processing overhead and speeds-up response more than just turning off the rules within a rule group.

Resource intensive rule groups can also be removed to improve response. For example, the network rule group runs lsof continuously to determine what TCP and UDP services are running. Most computers handle the resource commitment without problems; however, the network rule group can negatively affect response of some computers. The Unix Manager console includes a Port Scanner utility that provides similar functionality without continuously requiring resources. If you are experiencing response issues, complete the following steps to remove the network rule group, and then use the Port Scanner utility periodically to check for unauthorized network services. For more information about using the Port Scanner utility, see the Help.

To remove rule groups:

  1. Determine which rule groups are not required for your environment and which rule groups are too expensive in terms of resources. For helpful information, select a rule group, and then read the description on the Attributes tab.
  2. Select the rule groups that you want to remove. Hold CTRL to select multiple rule groups.
  3. Right-click and select Delete.
  4. Click Yes to confirm the deletion.
  5. Save the modified rule set to the local file system for your archives.
  6. Activate the modified rule set by uploading it to one or more remote computers.

2. Decreasing Delay ValuesNG>

The delay values in the filesystem and network rule groups set the number of seconds the Detect Watchdog sleeps between processing batches of objects. For other rule groups, the delay value sets the number of seconds the Detect Watchdog sleeps after determining that no new events have occurred. Decreasing delay values increases the CPU load, but also speeds-up rule processing, especially for the filesystem and network rule groups. Default delay values are 15 seconds for the network rule group, 5 seconds for the filesystem rule group, and 0-2 seconds for all other rule groups.

To decrease delay values:

  1. Select the rule group nodes where you want to change the delay value. Hold CTRL to select multiple rule group nodes.
  2. Right-click the selected nodes, and then select Edit> Edit Delay(s).
  3. Type a new delay value in seconds, and then click OK.
  4. Save the rule set to the local file system for your archives.
  5. Activate the modified rule set by uploading it to one or more remote computers.

3. Limiting Files that are Checked by the Filesystem Rule Group

By default, the filesystem rule group constantly checks files in security critical directories such as /etc, /bin, /sbin, /usr/bin, and /lib. It is possible that constant checking of many objects can slow down response of the Detect Watchdog on some computers. The filesystem rule group lets you specify target directories to check, specify the depth of subdirectories to check under the target directory, and also specify directories to exclude from the checks. By limiting the directories that are checked, the Detect Watchdog lets you conserve resources that may be wasted checking non-security critical files.

To limit files checked by the filesystem rule group:

  1. Select the Group: filesystem node.
  2. Right-click and select Edit.
  3. Click the Event Source tab.
  4. Review the syntax of the included directory field to understand how the Detect Watchdog expects input parameters. For example, '/etc', 3, '/bin' '/sbin', 2, indicates that the /etc, /bin, and /sbin directories will be checked as well as all subdirectories that are up to 3 levels below /etc, and 2 levels below /bin and /sbin.
  5. Determine which directories listed in the included directories field do not contain security critical files.
  6. Delete directory paths that you do not want to check from the included directory list.
    If you want to exclude specific directories, such as a specific subdirectory under /etc that would otherwise be checked, type the directory path in the excluded directory list using the required syntax.
  7. Save the rule set to the local file system for your archives.
  8. Activate the modified rule set by uploading it to one or more remote computers.

4. Increasing the Maximum Number of Objects

The filesystem Event Source is configured to batch 20 objects by default before sleeping for a few seconds and then processing another batch of 20 objects. Increasing the number of objects in each batch increases the CPU load, but improves the response of filesystem rules. Complete the following steps to increase the maximum number of objects.

To increase the maximum number of objects:

  1. Select the Source: filesystem node.
  2. Right-click and select Edit.
  3. Click the Event Code tab.
  4. Locate the line <.
    STRONG>$maxObjs = 20    .
  5. Change the $maxObjs value to a higher number, such as 40.
  6. Click OK.
  7. Save the rule set to the local file system for your archives.
  8. Activate the modified rule set by uploading it to one or more remote computers.

5. Disabling Unnecessary Rules

Even if a rule group is necessary for your environment, some of the rules within the rule group may not be, particularly rules within the filesystem rule group. The filesystem rule group contains a comprehensive set of file system rules, some of which are not required for every Unix computer. For example, the exports rule continuously checks the exports file for changes. If the rule set resides on a computer that does not manage file system exports, then the rule is not necessary. If you cannot eliminate entire rule groups, turn off unnecessary rules within the rule group to reduce wasted CPU cycles.

Some rule groups are designed for specific Unix distributions. Rule groups that are not designed for your Unix distribution are automatically terminated. For example, the bsm rule group is designed for the Basic Security Module on Solaris computers. If you are running a different distribution, the rules in this rule group are automatically terminated. It is not essential to disable these rules manually.

To disable unnecessary rules:

  1. Expand one of the rule group nodes to display the rules in the rule group.
  2. Determine which rules are not necessary for your environment. For helpful information, select a rule, and then read the description on the Attributes tab.
  3. Select all unnecessary rules within the rule group. Hold CTRL to select multiple rules.
  4. Right-click and select Off to turn off the unnecessary rules.
  5. Repeat step 1 to step 4 for each rule group in your rule set.
  6. Save the modified rule set to the local file system for your archives.
  7. Activate the modified rule set by uploading it to one or more remote computers.

6. Decreasing Nice Values

Nice values balance the percentage of CPU cycles that are reserved for processing rules and the percentage of CPU cycles that are reserved for running other programs and services. By default, the nice values for most rule groups are set at or near 0. This assignment gives these rule groups average CPU priority. Decreasing the nice value sets the CPU priority in favor of processing rules; however, decreasing the nice value may not produce noticeable results unless the CPU is under extreme loads.

To decrease nice values:

  1. Select the rule group nodes where you want to change the nice value. Hold CTRL to select multiple group nodes.
  2. Right-click the selected nodes, and then select Edit> Edit Nice Value(s).
  3. Move the slider to a lower value to decrease the nice value, and then click OK.
  4. Save the modified rule set to the local file system for your archives.
  5. Activate the modified rule set by uploading it to one or more remote computers.

 

.


note

For more information on managing rules using the Rules Manager, see the Unix Agent Installation and Configuration Guide.



Additional Information

Formerly known as NETIQKB33282