Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp907073ybn; Wed, 25 Sep 2019 09:25:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqxcXfmXEGQc/sS3aM8tH2sJ/N2slKCmOd9w7JXKBG+Ds4ivtltZSmHQML8+NpM3lCl5KpdP X-Received: by 2002:a17:906:d8a2:: with SMTP id qc2mr112923ejb.10.1569428710671; Wed, 25 Sep 2019 09:25:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569428710; cv=none; d=google.com; s=arc-20160816; b=e+uEu/hnE+El2NIeYWBnXbspGJ5cCSJUYd2Hh1RYTi8uliCLeAqysVPljisWa26jiF CHDOwedhUqS2oBN6wr9DeO14bYm49ZXxleXYsthLjtfqHe2zklX+UcsH7QwQ2Ki8Pi38 SmPqpMaX9XpmWyNNHUMwFKEFCNk+itrWA/27RBm581cghdqAAyRqgJf59Ivo4DmJzsSY 6a1K6w4N3bNhP6gwIS5NfgFJvJNdr6AT3RT4E0k/yTNLqn3evJTJGlMPi/VCXHLtZHAD yidv0w8fM/0j1D32wydi2N9xVQzQSBe2Vxq3fR0/EjtVlWeLz6psPjTeYfzfux59yo9n UHig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:mail-followup-to:message-id:subject:cc:to:from:date; bh=2vsFaYab7MKSpsliiq6CFTw1Gjsk4S3s9sIXO/CHLx0=; b=TsRnjVx3D7yuseTFr0hgQVSBEAOTBVO52YH7+halYtscoP71yCxLsWiIiyrpfHz1Xe OFxw6RrbKNutMaVKr6MRs4NGBB24FJevqZuzuwjN4TIKdmYLq7O7lOwagfsd2EE0G/jL YwD9KytGzS6ev2R913zf3HPSXqPefVvmXZEVfzsXJS1BPnDAabA0A503AMzrotNTvXko j5S/QcVwmQ3R0HPMwLwMR2b4sgDZERB1UT68Vprx9bbDOpQe4xLfNI4Po+321U6Iu/R1 o0Oioh3lsoQU6IFhAR2vvqYnYRftVpXitJERPbHTDeBmmNzYrzWODFvIR1M330s/AWqX HJNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a3si3607314edc.75.2019.09.25.09.24.47; Wed, 25 Sep 2019 09:25:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732899AbfIWQak (ORCPT + 99 others); Mon, 23 Sep 2019 12:30:40 -0400 Received: from scorn.kernelslacker.org ([45.56.101.199]:49116 "EHLO scorn.kernelslacker.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726328AbfIWQak (ORCPT ); Mon, 23 Sep 2019 12:30:40 -0400 X-Greylist: delayed 2397 seconds by postgrey-1.27 at vger.kernel.org; Mon, 23 Sep 2019 12:30:40 EDT Received: from [2601:196:4600:6634:ae9e:17ff:feb7:72ca] (helo=wopr.kernelslacker.org) by scorn.kernelslacker.org with esmtp (Exim 4.92) (envelope-from ) id 1iCQbp-0007XD-MU; Mon, 23 Sep 2019 11:50:41 -0400 Received: by wopr.kernelslacker.org (Postfix, from userid 1026) id 55492560162; Mon, 23 Sep 2019 11:50:41 -0400 (EDT) Date: Mon, 23 Sep 2019 11:50:41 -0400 From: Dave Jones To: Linux Kernel Cc: Paul Moore , Eric Paris Subject: ntp audit spew. Message-ID: <20190923155041.GA14807@codemonkey.org.uk> Mail-Followup-To: Dave Jones , Linux Kernel , Paul Moore , Eric Paris MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Note: SpamAssassin invocation failed Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I have some hosts that are constantly spewing audit messages like so: [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926 [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455 [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts. Audit isn't even enabled on these machines. # auditctl -l No rules # auditctl -s enabled 0 failure 1 pid 0 rate_limit 0 backlog_limit 64 lost 0 backlog 0 loginuid_immutable 0 unlocked Asides from the log spew, why is this code doing _anything_ when audit isn't enabled ? Something like this: diff --git a/kernel/audit.c b/kernel/audit.c index da8dc0db5bd3..1291d826c024 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2340,6 +2340,9 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, struct audit_buffer *ab; va_list args; + if (audit_initialized != AUDIT_INITIALIZED) + return; + ab = audit_log_start(ctx, gfp_mask, type); if (ab) { va_start(args, fmt); Might silence the spew, but I'm concerned that the amount of work that audit is doing on an unconfigured machine might warrant further investigation. ("turn off CONFIG_AUDIT" isn't an option unfortunately, as this is a one-size-fits-all kernel that runs on some other hosts that /do/ have audit configured) Dave