auditing ntpd
Steve Grubb
sgrubb at redhat.com
Thu Sep 8 13:24:29 UTC 2011
On Thursday, September 08, 2011 06:22:22 AM Vipin Rathor wrote:
> Hi (again),
> I've this rule in audit.rules file to keep a tab on system time change:
> -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
> adjtimex_time-change
>
> And i'm continuously getting these messages in external logging server:
What does continuously mean? If ntpd is doing this once a minute and you have a rule
that does not exclude ntpd, then its doing the right thing.
What you might want to do is modify the rule to be:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -F uid!=ntp -k
adjtimex_time-change
This makes an exception for the ntp user account.
> node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
> arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
> a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
> suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
> comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"
The reason you are getting audited is because the auid is root and they restarted
ntpd. By making an exception for ntp uid, it should quieten down the logs. But this
raises a secondary problem, you are allowing root logins which does mess up the audit
trail. Who was being root?
-Steve
More information about the Linux-audit
mailing list