auditing ntpd
Vipin Rathor
v.rathor at gmail.com
Thu Sep 8 10:22:22 UTC 2011
Hi (again),
I've this rule in audit.rules file to keep a tab on system time change:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
adjtimex_time-change
And i'm continuously getting these messages in external logging server:
node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"
After strace'ing the ntpd, I can see the 'adjtimex' system call
getting called continuously:
# strace -p 2551623
Process 2551623 attached - interrupt to quit
select(28, [16 17 18 19 20 21 22 23 24 25 26 27], NULL, NULL, {0,
663331}) = 0 (Timeout)
adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0,
maxerror=16000000, esterror=16, status=STA_UNSYNC|0x2000, constant=0,
precision=1, tolerance=32768000, time={1315477226, 286574975},
tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0,
calcnt=0, errcnt=0, stbcnt=0}) = 5 (TIME_ERROR)
select(28, [16 17 18 19 20 21 22 23 24 25 26 27], NULL, NULL, {0,
994495}) = 0 (Timeout)
adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0,
maxerror=16000000, esterror=16, status=STA_UNSYNC|0x2000, constant=0,
precision=1, tolerance=32768000, time={1315477227, 282047022},
tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0,
calcnt=0, errcnt=0, stbcnt=0}) = 5 (TIME_ERROR)
.....
.....
Any pointers on why is this happening? How to resolve this?
I'm using RHEL 6.1 with these audit rpms:
audit-libs-2.1-5.el6.x86_64
audit-2.1-5.el6.x86_64
audispd-plugins-2.1-5.el6.x86_64
Thanks in advance for any help in this regard.
--
-Rathor
More information about the Linux-audit
mailing list