[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditing ntpd



On Thursday, September 08, 2011 06:22:22 AM Vipin Rathor wrote:
> Hi (again),
> I've this rule in audit.rules file to keep a tab on system time change:
> -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
> adjtimex_time-change
> 
> And i'm continuously getting these messages in external logging server:

What does continuously mean? If ntpd is doing this once a minute and you have a rule 
that does not exclude ntpd, then its doing the right thing.

What you might want to do is modify the rule to be:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -F uid!=ntp -k
 adjtimex_time-change

This makes an exception for the ntp user account.


> node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
> arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
> a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
> suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
> comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"

The reason you are getting audited is because the auid is root and they restarted 
ntpd. By making an exception for ntp uid, it should quieten down the logs. But this 
raises a secondary problem, you are allowing root logins which does mess up the audit 
trail. Who was being root?

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]