Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1185368ybn;
        Wed, 25 Sep 2019 13:50:24 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzyDvQ7ivlDJfbXxD2UWrQyRnCAWV4nfoFzmw7YDjH090s+rAxNBi6ENKEgSnvAbt5CUi8Z
X-Received: by 2002:a05:6402:1699:: with SMTP id a25mr5184949edv.91.1569444624330;
        Wed, 25 Sep 2019 13:50:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569444624; cv=none;
        d=google.com; s=arc-20160816;
        b=XGt5yx3z7Jw/AyZaiGYvsyxHUeF9T1I/EAx+hfuWhpjbz/hbp7jT5mvSDkMDyrkBYK
         cUDa1XFl5qNej4aYZaWpd9T/HjrJgSe6ZMCvpD126lY3F9dmnQj7g3yfAqiFFCM9zDjm
         0ANlWwQPqhU3Ej5TVlyLnxTAn//iugdzBB8rESSgAuPhVjmTuuro2IbJNzPSLVir/QJq
         gQ8cClxVZj3/S1euEE2yYgwDaw8gE3x7AMbo4ycbuXJ/kd4thdxvf3hNsVY15ZfPXWF3
         qfxYVqakY+45D4PRPddzN1BmPvje9SbLyrjOGnzrGwpgLOkjqdWVLA2Dgfk/Jtd7iHLA
         mm6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=/9wM70GeJDNUGZe5ZLnpg6WVa1oWcgg26Mn74A2MeDw=;
        b=wZvggg3wXaYycUQmwYUZx/JbzaI85tfXWPEYoYJ+vtdRDWMvdPKFuWjVTm+DvNZT4a
         AA6YsETrdTNhzisClsmnumjhzo4uFk9o4C28fjJ/c/MqW+KWVk7/ng2TtJY0X7OLy+iv
         dlwKDOs2KAOu5ZFNR90/KYjD2u3GiF09rk5LgRGb7+DcY/SzTpzP/yNfxMGyfoy/xT9H
         z5j4sHlYYKs8Cz49ZGDDtj++4YpOgi4lQrgyM9Z53e6+xOFLa+FarFXR+oVeA/JNpNuW
         keFozonxPzHDJCzLGsJjpwb9QTp4i6aK6NULRNtFotqM4lbLnp6QbO5mCt6e91luuGut
         hKAA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="riX/7Yuy";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y50si118237edd.237.2019.09.25.13.49.56;
        Wed, 25 Sep 2019 13:50:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="riX/7Yuy";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388517AbfIWQO2 (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 23 Sep 2019 12:14:28 -0400
Received: from mail-lf1-f67.google.com ([209.85.167.67]:45342 "EHLO
        mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388155AbfIWQO1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Sep 2019 12:14:27 -0400
Received: by mail-lf1-f67.google.com with SMTP id r134so10554666lff.12
        for <linux-kernel@vger.kernel.org>; Mon, 23 Sep 2019 09:14:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=/9wM70GeJDNUGZe5ZLnpg6WVa1oWcgg26Mn74A2MeDw=;
        b=riX/7Yuy0Xbn3hi0u9kl91tN7pbLNX5VzV9CZtxq96y6hfb5qc8xynkUeTiddv9feI
         pGZouRHLz520odaH3C4i5eHcOSU2wmlZUaf/qY0dHC6KhT7T1e+X3e90ezDE21WFKixf
         sr2Yfd0PfwHvhqha2y7y8Irq5FJC1b1UQFSe5zrWLrGUALY7idJ5E+ASJmBUtZuF52CU
         j5CG26LnbkfD/rQhdtKkV0duufWoJHOL2tm4UsXlmYImXzAYTpHkqBfz+mn55cXPh5Eu
         E+y16McKF8A0X+k0OtVoVeHPFhxbfm4A9eIO826OLXfNf3WJIeIQuwNQLFUYoIgTavZ2
         VXpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=/9wM70GeJDNUGZe5ZLnpg6WVa1oWcgg26Mn74A2MeDw=;
        b=OjqjnhEg4Y4pU69hkaz9jE71wQ3vgI0L75FyPWGUqXhxqCH7MIdWruEL/HI7blQQ+r
         imyRkThV40d1VNX+IFI7QpLy9erio2lfgcQZn3MqBz3X8W9UzFX0FOYT5XmkurOOfCTF
         1O9IqHMuoRg5xfAI+79RalAIUewSDoHkwJk09ECslGpztSRutHEik2HVeHt1r0HGOZAB
         +9mXSVtHXzM5ACZGxHKztyt1UOd5BwNiJS0xMl9xl19ewiuZ9o3m96ugMVtvwmz1gaZd
         fmy9ULJZpy82aB+lvWmP3BJdnMgQ4M6Y+dpSbCjZ83+z0WBsIyH5X7IP5sJRcFW5G999
         cDdw==
X-Gm-Message-State: APjAAAUiMlreqNiYSM8F+cgd4V4iPWXxLN84VdPhEVwbYNfB7PyEO5FX
        zFWYre5EK7focXwAMfZCpNn5tDDvfpNRPvMpV1Tq
X-Received: by 2002:a05:6512:202:: with SMTP id a2mr209351lfo.175.1569255265495;
 Mon, 23 Sep 2019 09:14:25 -0700 (PDT)
MIME-Version: 1.0
References: <20190923155041.GA14807@codemonkey.org.uk>
In-Reply-To: <20190923155041.GA14807@codemonkey.org.uk>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 23 Sep 2019 12:14:14 -0400
Message-ID: <CAHC9VhTyz7fd+iQaymVXUGFe3ZA5Z_WkJeY_snDYiZ9GP6gCOA@mail.gmail.com>
Subject: Re: ntp audit spew.
To:     Dave Jones <davej@codemonkey.org.uk>
Cc:     Linux Kernel <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>, linux-audit@redhat.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Sep 23, 2019 at 11:50 AM Dave Jones <davej@codemonkey.org.uk> wrote:
>
> I have some hosts that are constantly spewing audit messages like so:
>
> [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213
> [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244
> [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926
> [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316
> [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455
> [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476
>
> This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts.
>
>
> Audit isn't even enabled on these machines.
>
> # auditctl -l
> No rules

[NOTE: added linux-audit to the CC line]

There is an audit mailing list, please CC it when you have audit
concerns/questions/etc.

What happens when you run 'auditctl -a never,task'?  That *should*
silence those messages as the audit_ntp_log() function has the
requisite audit_dummy_context() check.  FWIW, this is the distro
default for many (most? all?) distros; for example, check
/etc/audit/audit.rules on a stock Fedora system.  A more selective
configuration could simply exclude the TIME_ADJNTPVAL record (type
1333) from the records that the kernel emits.

We could also add a audit_enabled check at the top of
audit_ntp_log()/__audit_ntp_log(), but I imagine some of that depends
on the various security requirements (they can be bizzare and I can't
say I'm up to date on all those - Steve Grubb should be able to
comment on that).

-- 
paul moore
www.paul-moore.com