Question regarding ntpd
Sullivan, Daniel [CRI]
dsullivan2 at bsd.uchicago.edu
Wed Sep 28 01:45:57 UTC 2016
Thank you for chiming in, Ryan. I saw a thread describing a similar strategy out there, what was confusing me was really two fold;
1) the entries being generated every second (i.e. outside of whatever perceived polling interval was configured).
2) the entries apparently not having any meaningful information (if presumably some sort of adjustment was being made); perhaps the -i switch Steve provided will account for this.
I think the responses provided are enough to point me in the right direction. Thank you for your help.
Dan
On Sep 27, 2016, at 7:21 PM, Ryan Sawhill <rsawhill at redhat.com<mailto:rsawhill at redhat.com>> wrote:
To say the thing that Steve knows but didn't explicitly point out:
The "time-change" key is used in the standard STIG rules. If you can get the clearance from the powers-that-be in your org, note that the auditctl rule format allows you to exclude time-change events generated by something that you want to trust, e.g., ntpd. I wrote an article for this exact issue recently on the Red Hat Customer Portal. See: How to exclude specific users, groups, or services when using auditd to audit syscalls<https://access.redhat.com/solutions/2477471>
--
Linux-audit mailing list
Linux-audit at redhat.com<mailto:Linux-audit at redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit
********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.
Thank you
University of Chicago Medicine and Biological Sciences
********************************************************************************
More information about the Linux-audit
mailing list