cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
scarney
Level 9
Report Inappropriate Content
Message 1 of 6

Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution
  • OS: CentOS 7.8.2003
  • Kernel: 3.10.0-1127.18.2.el7.x86_64
  • McAfee Solidcore: 6.4.8-101

We have a login management system on top of Linux for security and auditing reasons.  After approximately 1 in 3 reboots, we see a delay of anywhere from 30 seconds to 4 minutes before we can access the system.  Experiments:

  • Put system in update mode.  Didn't notice a difference
  • This is a Linux system so the memory protection feature isn't a factor.  At least, I didn't see it in the features list.
  • Disabled Solidifier.  Performance problem went away.  Rebooted + login 20 times in a row and now performance problem.

I looked in the release notes and saw nothing about a performance issue.

Any other ideas are welcome.

--

Regards,

Sandra Carney

1 Solution

Accepted Solutions
scarney
Level 9
Report Inappropriate Content
Message 6 of 6

Re: Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution

We were seeing the following messages in the solidcore log whenever it stalled which was always when we first accessed it:

U.3891.3926: Feb 27 2021:22:43:45.123:   ERROR: userver.c: 2250: Failed to write 32 bytes for process 'systemd-readahe', (filename '/.readahead.new'). errno: 2 fd: 14 evt_id: 0 response: Allow.
U.3891.3926: Feb 27 2021:22:43:45.123:   ERROR: userver.c: 2203: Error writing response to kernel.  err 2

One of our administrators looked  at the systemd readhead services and disabled them:

[root@tdwsx00000002 solidcore]# systemctl status systemd-readahead-collect.service
● systemd-readahead-collect.service - Collect Read-Ahead Data
   Loaded: loaded (/usr/lib/systemd/system/systemd-readahead-collect.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-readahead-replay.service(8)
[root@tdwsx00000002 solidcore]# systemctl status systemd-readahead-replay.service
● systemd-readahead-replay.service - Replay Read-Ahead Data
   Loaded: loaded (/usr/lib/systemd/system/systemd-readahead-replay.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-readahead-replay.service(8)
[root@tdwsx00000002 solidcore]# systemctl status systemd-readahead-done.timer
● systemd-readahead-done.timer - Stop Read-Ahead Data Collection 10s After Completed Startup
   Loaded: loaded (/usr/lib/systemd/system/systemd-readahead-done.timer; indirect; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-readahead-replay.service(8)

 This appears to have fixed our performance problem.  We have to go through more extensive testing to make sure.  Are there any reports of conflicts between these services and MACC 6.4.x?

View solution in original post

5 Replies
mkonno
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution

Hello @scarney,

Thank you for posting on the community.

As known issues, MACC has compatibility issues like below, so if your system uses SELinux or Auditd configuration, please disable it and check if the problem is resolved or not.

Incompatibility issue between MACC and Auditd for RHEL7
https://kc.mcafee.com/corporate/index?page=content&id=KB92460

Cannot enable Application and Change Control on a Red Hat Linux 7 or 8 system
https://kc.mcafee.com/corporate/index?page=content&id=KB91660

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
scarney
Level 9
Report Inappropriate Content
Message 3 of 6

Re: Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution

We don't have SELinux running currently but were planning to move to SELinux in a future release.  Does McAfee have any plans to address this incompatibility in a future release?

As for disabling auditd, that didn't help.

Any other ideas would be welcome.

scarney
Level 9
Report Inappropriate Content
Message 4 of 6

Re: Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution

Also,

Our current version of MACC was built by us because, at the time, our kernel, 3.10.0-1127.18.2.el7.x86_64, was not supported.  We custom built 6.4.8-101.  I have looked through the newer versions of MACC and the release notes for 6.4.11-128 says our kernel is supported.  I will try installing that to see if our problem is resolved.

scarney
Level 9
Report Inappropriate Content
Message 5 of 6

Re: Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution

Also, this is how MACC is configured on our system:

[root@tdwsx00000002 solidcore]# sadmin help config

 

config export FILE

config import [-a] FILE

config set NAME=VALUE

config show

 

    To export, import, set or show configuration .

 

    export    Export configuration to file.

    import    Import configuration from file.

    set       Set configuration parameter.

    show      Show configuration parameters.

 

    -a    To append configuration values. Default behavior is

          replacement of configuration values.

    FILE  File to export to or import parameters from.

    NAME  Name of the configuration parameter.

    VALUE Decimal value of the configuration parameter.

 

    The parameters that appear *ed in 'show' sub-command

    cannot be set.

[root@tdwsx00000002 solidcore]# sadmin config show

Password:

  CustomerConfig                0 (0x0)

  EventCacheSize                2 (0x2)

  EventCacheWMHigh              90 (0x5a)

  EventCacheWMLow               70 (0x46)

  FailSafeConf                  0 (0x0)

* FeaturesEnabled               16842791 (0x1010027)

* FeaturesEnabledOnReboot       16842791 (0x1010027)

* FeaturesInstalled             563018958176311 (0x2001011010037)

* FileAttrCTrack                4912 (0x1330)

* FileDenyReadOptions           735 (0x2df)

* FileDenyWriteOptions          735 (0x2df)

  FileDiffMaxSize               1024 (0x400)

* FipsMode                      0 (0x0)

* LockdownStatus                0 (0x0)

  LogFileNum                    4 (0x4)

* LogFilePath                   /var/log/mcafee/solidcore

  LogFileSize                   2048 (0x800)

* RTEMode                       1 (0x1)

* RTEModeOnReboot               1 (0x1)

* WorkFlowId                    None

* HashAlgorithm                 SHA1

  ZeroDayKernelSupport          1 (0x1)
scarney
Level 9
Report Inappropriate Content
Message 6 of 6

Re: Logging into a system can take up to 3 minutes when Solidcore is enabled

Jump to solution

We were seeing the following messages in the solidcore log whenever it stalled which was always when we first accessed it:

U.3891.3926: Feb 27 2021:22:43:45.123:   ERROR: userver.c: 2250: Failed to write 32 bytes for process 'systemd-readahe', (filename '/.readahead.new'). errno: 2 fd: 14 evt_id: 0 response: Allow.
U.3891.3926: Feb 27 2021:22:43:45.123:   ERROR: userver.c: 2203: Error writing response to kernel.  err 2

One of our administrators looked  at the systemd readhead services and disabled them:

[root@tdwsx00000002 solidcore]# systemctl status systemd-readahead-collect.service
● systemd-readahead-collect.service - Collect Read-Ahead Data
   Loaded: loaded (/usr/lib/systemd/system/systemd-readahead-collect.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-readahead-replay.service(8)
[root@tdwsx00000002 solidcore]# systemctl status systemd-readahead-replay.service
● systemd-readahead-replay.service - Replay Read-Ahead Data
   Loaded: loaded (/usr/lib/systemd/system/systemd-readahead-replay.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-readahead-replay.service(8)
[root@tdwsx00000002 solidcore]# systemctl status systemd-readahead-done.timer
● systemd-readahead-done.timer - Stop Read-Ahead Data Collection 10s After Completed Startup
   Loaded: loaded (/usr/lib/systemd/system/systemd-readahead-done.timer; indirect; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-readahead-replay.service(8)

 This appears to have fixed our performance problem.  We have to go through more extensive testing to make sure.  Are there any reports of conflicts between these services and MACC 6.4.x?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community