High CPU utilization can result from IPS monitoring tmpfs file systems (usually /tmp) when there are >10K files and directories present on the tmpfs file system. With very large numbers of files and directories, performance degradation should be expected in the /tmp file system.
The Symantec Critical System Protection IPS driver requires the real or absolute path of the files and directories that are being checked against an IPS policy for access. The IPS driver makes a call to the Solaris readdir() function to get the real path at each level of the directory structure, where readdir() unexpectedly returns all of the entries under the entire tmpfs filesystem being traversed. Large numbers of files or directories worsen the performance impact of these calls and they can, in extreme conditions, consume most or all of the available CPU.
Commands that call chdir(), like find, rm, etc. on files under the /tmp filesystem will also trigger the issue.
Optimize the IPS driver code to get rid of the readdir() calls which were causing the large performance impact.
Solaris 9: Resolved in 5.2.8 MP4
Solaris 10: Will be addressed in the SCSP 5.2.9 release.
Affected operating systems: Solaris 9 and Solaris 10
Affected Symantec Critical System Protection versions:
Solaris 9: Release 5.2.8 MP3 or earlier.
Solaris 10: Release 5.2.8 MP4 or earlier.
Affected Symantec Critical System Protection policy: UNIX Prevention Policies
Imported Document ID: TECH192788
Subscribing will provide email updates when this Article is updated. Login is required.