Question regarding ntpd
Paul Moore
paul at paul-moore.com
Tue Oct 11 20:49:41 UTC 2016
On Tue, Oct 11, 2016 at 12:07 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, October 10, 2016 2:48:23 PM EDT L. A. Walsh wrote:
>> Steve Grubb wrote:
>> > But ntpd overwhelms logs but chronyd might be marginally better. See bz
>> > https://bugzilla.redhat.com/show_bug.cgi?id=918127
>>
>> ---
>> I took a gander at said bugzilla num, and found a minor surprise in that
>> there
>> Miroslav Lichvar said:
>>
>> "You can use ntpd from the ntp package instead of chrony, it
>> shouldn't call adjtimex as often as chronyd does."
>> ---
>>
>> I.e. the exact opposite of your (Steve)'s statement. Wondered if that was
>> a misread or newer information...<*idle curiosity*>.
>>
>> Either way sounds like it would be "nice" to differentiate a "read" from
>> a "write" in this syscall if it is to be useful.
>
> I agree. But the problem with this syscall is that the operation is part of a
> data structure that is passed by address to the kernel. There currently is no
> good way to filter its uses because the audit subsystem can only look at the
> actual argument passed. I think there may be an issue opened for this on
> github.
Yep, link below:
* https://github.com/linux-audit/audit-kernel/issues/10
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list