Question regarding ntpd
Ryan Sawhill
rsawhill at redhat.com
Wed Sep 28 00:21:46 UTC 2016
To say the thing that Steve knows but didn't explicitly point out:
The "time-change" key is used in the standard STIG rules. If you can get
the clearance from the powers-that-be in your org, note that the auditctl
rule format allows you to exclude time-change events generated by something
that you want to trust, e.g., ntpd. I wrote an article for this exact issue
recently on the Red Hat Customer Portal. See: How to exclude specific
users, groups, or services when using auditd to audit syscalls
<https://access.redhat.com/solutions/2477471>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160927/f5bb182f/attachment.htm>
More information about the Linux-audit
mailing list