Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1185368ybn; Wed, 25 Sep 2019 13:50:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqzyDvQ7ivlDJfbXxD2UWrQyRnCAWV4nfoFzmw7YDjH090s+rAxNBi6ENKEgSnvAbt5CUi8Z X-Received: by 2002:a05:6402:1699:: with SMTP id a25mr5184949edv.91.1569444624330; Wed, 25 Sep 2019 13:50:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569444624; cv=none; d=google.com; s=arc-20160816; b=XGt5yx3z7Jw/AyZaiGYvsyxHUeF9T1I/EAx+hfuWhpjbz/hbp7jT5mvSDkMDyrkBYK cUDa1XFl5qNej4aYZaWpd9T/HjrJgSe6ZMCvpD126lY3F9dmnQj7g3yfAqiFFCM9zDjm 0ANlWwQPqhU3Ej5TVlyLnxTAn//iugdzBB8rESSgAuPhVjmTuuro2IbJNzPSLVir/QJq gQ8cClxVZj3/S1euEE2yYgwDaw8gE3x7AMbo4ycbuXJ/kd4thdxvf3hNsVY15ZfPXWF3 qfxYVqakY+45D4PRPddzN1BmPvje9SbLyrjOGnzrGwpgLOkjqdWVLA2Dgfk/Jtd7iHLA mm6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/9wM70GeJDNUGZe5ZLnpg6WVa1oWcgg26Mn74A2MeDw=; b=wZvggg3wXaYycUQmwYUZx/JbzaI85tfXWPEYoYJ+vtdRDWMvdPKFuWjVTm+DvNZT4a AA6YsETrdTNhzisClsmnumjhzo4uFk9o4C28fjJ/c/MqW+KWVk7/ng2TtJY0X7OLy+iv dlwKDOs2KAOu5ZFNR90/KYjD2u3GiF09rk5LgRGb7+DcY/SzTpzP/yNfxMGyfoy/xT9H z5j4sHlYYKs8Cz49ZGDDtj++4YpOgi4lQrgyM9Z53e6+xOFLa+FarFXR+oVeA/JNpNuW keFozonxPzHDJCzLGsJjpwb9QTp4i6aK6NULRNtFotqM4lbLnp6QbO5mCt6e91luuGut hKAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="riX/7Yuy"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y50si118237edd.237.2019.09.25.13.49.56; Wed, 25 Sep 2019 13:50:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="riX/7Yuy"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388517AbfIWQO2 (ORCPT + 99 others); Mon, 23 Sep 2019 12:14:28 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:45342 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388155AbfIWQO1 (ORCPT ); Mon, 23 Sep 2019 12:14:27 -0400 Received: by mail-lf1-f67.google.com with SMTP id r134so10554666lff.12 for ; Mon, 23 Sep 2019 09:14:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/9wM70GeJDNUGZe5ZLnpg6WVa1oWcgg26Mn74A2MeDw=; b=riX/7Yuy0Xbn3hi0u9kl91tN7pbLNX5VzV9CZtxq96y6hfb5qc8xynkUeTiddv9feI pGZouRHLz520odaH3C4i5eHcOSU2wmlZUaf/qY0dHC6KhT7T1e+X3e90ezDE21WFKixf sr2Yfd0PfwHvhqha2y7y8Irq5FJC1b1UQFSe5zrWLrGUALY7idJ5E+ASJmBUtZuF52CU j5CG26LnbkfD/rQhdtKkV0duufWoJHOL2tm4UsXlmYImXzAYTpHkqBfz+mn55cXPh5Eu E+y16McKF8A0X+k0OtVoVeHPFhxbfm4A9eIO826OLXfNf3WJIeIQuwNQLFUYoIgTavZ2 VXpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/9wM70GeJDNUGZe5ZLnpg6WVa1oWcgg26Mn74A2MeDw=; b=OjqjnhEg4Y4pU69hkaz9jE71wQ3vgI0L75FyPWGUqXhxqCH7MIdWruEL/HI7blQQ+r imyRkThV40d1VNX+IFI7QpLy9erio2lfgcQZn3MqBz3X8W9UzFX0FOYT5XmkurOOfCTF 1O9IqHMuoRg5xfAI+79RalAIUewSDoHkwJk09ECslGpztSRutHEik2HVeHt1r0HGOZAB +9mXSVtHXzM5ACZGxHKztyt1UOd5BwNiJS0xMl9xl19ewiuZ9o3m96ugMVtvwmz1gaZd fmy9ULJZpy82aB+lvWmP3BJdnMgQ4M6Y+dpSbCjZ83+z0WBsIyH5X7IP5sJRcFW5G999 cDdw== X-Gm-Message-State: APjAAAUiMlreqNiYSM8F+cgd4V4iPWXxLN84VdPhEVwbYNfB7PyEO5FX zFWYre5EK7focXwAMfZCpNn5tDDvfpNRPvMpV1Tq X-Received: by 2002:a05:6512:202:: with SMTP id a2mr209351lfo.175.1569255265495; Mon, 23 Sep 2019 09:14:25 -0700 (PDT) MIME-Version: 1.0 References: <20190923155041.GA14807@codemonkey.org.uk> In-Reply-To: <20190923155041.GA14807@codemonkey.org.uk> From: Paul Moore Date: Mon, 23 Sep 2019 12:14:14 -0400 Message-ID: Subject: Re: ntp audit spew. To: Dave Jones Cc: Linux Kernel , Eric Paris , linux-audit@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 23, 2019 at 11:50 AM Dave Jones wrote: > > I have some hosts that are constantly spewing audit messages like so: > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 > [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926 > [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 > [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455 > [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 > > This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts. > > > Audit isn't even enabled on these machines. > > # auditctl -l > No rules [NOTE: added linux-audit to the CC line] There is an audit mailing list, please CC it when you have audit concerns/questions/etc. What happens when you run 'auditctl -a never,task'? That *should* silence those messages as the audit_ntp_log() function has the requisite audit_dummy_context() check. FWIW, this is the distro default for many (most? all?) distros; for example, check /etc/audit/audit.rules on a stock Fedora system. A more selective configuration could simply exclude the TIME_ADJNTPVAL record (type 1333) from the records that the kernel emits. We could also add a audit_enabled check at the top of audit_ntp_log()/__audit_ntp_log(), but I imagine some of that depends on the various security requirements (they can be bizzare and I can't say I'm up to date on all those - Steve Grubb should be able to comment on that). -- paul moore www.paul-moore.com