Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1487145ybn; Wed, 25 Sep 2019 19:37:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzknvk/8Zb2HCDMj/bZOvIEJ2bqnr+U6w5sbuZyBm+vA/w51t0v1wuJioYCgaNzC4C4abQe X-Received: by 2002:a50:886d:: with SMTP id c42mr1241828edc.24.1569465454485; Wed, 25 Sep 2019 19:37:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569465454; cv=none; d=google.com; s=arc-20160816; b=qF1uTYxGEWn/sp7FpvNsf2SHncT/8u/d2gs2ch4tmaO9g68L6ymwKcTlZUS0v+7hbT PWwqeupcjP1qtYUDdBfH4zTcyuhiJaXCw4D9LiZaukL6SuO8045QvL4KEKrdy6Dwte/0 wSthvVFTRfkM+cnhhfBDWDj+EQ7m9vPMcIa3Kw2A0UyPe7uEaV23gjSgoLxdTSZIO8i9 fIXOZx14F1Tom5+/zKbSu0uAJ264vSoUrgcZFmwlzWg7dUy/vyE3yG2cpzSNuDz1WwSd iZLOdSmPC2of9wUKP3fZP2cCnc8BrrAfltgw9BPngfkZiCvaRpZm2NUi2x5r1gq30oI1 eveA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=m4tgrGihcnnMxK6tf6Ms9qDSNmgdGrksSS0BVGhZJ1E=; b=P8ifNgZNYQljpIgQV54HOZ9M9lHAmhfFSKah/AZdW7k81z75vhWzYeM4xm9yr0WrZ6 7yTKdZwPtVVNGy1m2UU0Lq3Yz/oHN2np6OHr7IQXZXT2HJ141eyuLk6kpKfr5aXMP6V7 8guZViEimqSLZ5e5dEGCg4ojhkhylApGCcJOWGt4s6ktJwuTW+RNedc/ni6VHR1+jOPU G58MK9SO9EXGTxpgGQ+qMOm+XDF4POT3AoD+mvoPqLS38k/ZjwrDpBdEcMRMlfHE5hh3 FqtgxMxHFZQQRNy4J3ZNbSr+1HeC7amtYgVxEDP/EobgHxZWIuQYUap5H/zItDY1yWbE MoIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Vuc1VnR6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d32si523820eda.266.2019.09.25.19.37.09; Wed, 25 Sep 2019 19:37:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Vuc1VnR6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731804AbfIWS5W (ORCPT + 99 others); Mon, 23 Sep 2019 14:57:22 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:34219 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731258AbfIWS5W (ORCPT ); Mon, 23 Sep 2019 14:57:22 -0400 Received: by mail-lf1-f67.google.com with SMTP id r22so10984807lfm.1 for ; Mon, 23 Sep 2019 11:57:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m4tgrGihcnnMxK6tf6Ms9qDSNmgdGrksSS0BVGhZJ1E=; b=Vuc1VnR62B0oJl7jXHhRX8MAVLKvNBiajFdnjcYaVEXV3zkbWaM41bUU65zSidpphj AFtRxoPEXlYYkxXyhY4G/F3+iRAwwazFEeMQhd6OVQBcQjfnpblE6Gm7J7meV5zhyaSf S6YgEHu8qww8SMXXeagBNtQG40LQYJEKFX3yGo/qxZGmigy/UmtnAEgo0pehtVcFZvgq zQJKaNihjd8Fai1gUZNGbmujWFLCbQoI/SuhivlbZ9NLou1tNbAywYyxCYSwYnZsSjxg j6bkz6shsdU32J3Gpg72zzy4oDhGL4cbNn8qmXAq+RcA+4teL+kn3akE0mzmYFnQVpWo mpdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m4tgrGihcnnMxK6tf6Ms9qDSNmgdGrksSS0BVGhZJ1E=; b=XMyZBj3Eysb70Fq24P49uvH1iR+QKsZJ3cbn5eQb6Bsux0Wr58XTPjrjv34aGHI++x tDwOwiOc01SyHvv5U3r8g0HSh8PZPC0hleqzaXdGvHAQNyLpRUGHCoBuV38h3WxOuRnS 9A1HkwY8dk4gB56kIvkq3CFeaMbfmmfwCcXP1KLrW4Tanq2SlZBG9bBC1sadU1fRrauu aURzWDhAsUQ1fp30DDNL0Di2t0xN5TgqFap6FLY+B8YeU/A7ZZ0S2zBlG5pkRFN4T9JN qTPT9i/tLit92K3I2mbqUmrq+kSV4K2tCll9sK4gOiMhhPpu9T6YJqIciM3AZFShnKx0 5gXw== X-Gm-Message-State: APjAAAU98aghby8kJ3ua3ErR8M31RV8apnmtDa1QihwSNk5v13Ondy6I YQ0Ji7MKrrlWWRkefnZ/Q8p6+/jt4yYonPbXnTXaXB0= X-Received: by 2002:a05:6512:202:: with SMTP id a2mr590505lfo.175.1569265039864; Mon, 23 Sep 2019 11:57:19 -0700 (PDT) MIME-Version: 1.0 References: <20190923155041.GA14807@codemonkey.org.uk> <20190923165806.GA21466@codemonkey.org.uk> In-Reply-To: <20190923165806.GA21466@codemonkey.org.uk> From: Paul Moore Date: Mon, 23 Sep 2019 14:57:08 -0400 Message-ID: Subject: Re: ntp audit spew. To: Dave Jones Cc: Linux Kernel , Eric Paris , linux-audit@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 23, 2019 at 12:58 PM Dave Jones wrote: > On Mon, Sep 23, 2019 at 12:14:14PM -0400, Paul Moore wrote: > > On Mon, Sep 23, 2019 at 11:50 AM Dave Jones wrote: > > > > > > I have some hosts that are constantly spewing audit messages like so: > > > > > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 > > > [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > > > [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926 > > > [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 > > > [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455 > > > [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 > > > > > > This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts. > > > > > > > > > Audit isn't even enabled on these machines. > > > > > > # auditctl -l > > > No rules > > > > What happens when you run 'auditctl -a never,task'? That *should* > > silence those messages as the audit_ntp_log() function has the > > requisite audit_dummy_context() check. > > They still get emitted. > > > FWIW, this is the distro > > default for many (most? all?) distros; for example, check > > /etc/audit/audit.rules on a stock Fedora system. > > As these machines aren't using audit, they aren't running auditd either. > Essentially: nothing enables audit, but the kernel side continues to log > ntp regardless (no other audit messages seem to do this). What does your kernel command line look like? Do you have "audit=1" somewhere in there? -- paul moore www.paul-moore.com