Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1885839ybn; Thu, 26 Sep 2019 03:47:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqw6G7MJw21PwyDqfzFi60KBsaP9zvwdPuO4kBZvCmWA5TtI2zPwyB2VW8Ad/OqfiRbRjspW X-Received: by 2002:a17:906:768f:: with SMTP id o15mr2415232ejm.42.1569494823862; Thu, 26 Sep 2019 03:47:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569494823; cv=none; d=google.com; s=arc-20160816; b=SpkFqXRicBJGJ9GhqiphJQPEUB/a3K79zVDyBYAxaSmdAY6oENi00p/ZU8Ih0GlO36 wV98mKgpFq8bY/j+sYmt6YAh9NO3rVdMfOQbQ/D93hZ+BoNLC7nLzTovejTYbR2s+mS5 fpvTRsE34sFThSu+I6PpzQ/QBnKsriaXEoDLZLJQtUhdHuNnEcbfs1N99+8aP85tsNO5 Il37glb4NWzvdE1hfqrthwhrpsaDKM8dlxnZaShM0S0py2b5UunMeOkBD0hZZ00qhtLc T86SFDgVNJksT759mJLO9Ls9zHjtORl44dxUtWBPtJG7lDkE0l2uudyEo+ca0tgtZZz4 ZAgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3EOVspAXPFO/zP7zLE0+rol5UDYlko14RFhVFd10Q2Y=; b=VqacN/JHNYgdfMxXvxN0gJ4KdUwlw9zmmtmT5Sfsc6hplQdvuHX7WPWteG1YygwCQQ 20mUz83wptxrWfUzixfrOFk7C1kzt/n5919v4ko2/osIY0o9FjX89nYfd8+YmItNO/fe tHqCwOB1yCMV0UJgNqsxPjHpBmfzk6cHTEW+noBm7ADAH4KgKqucoWgEKMXh0rMpZIPn mrqAugAYMa5Q75T1wbdBsxXYlpbb/ZCTp44uCnEw24iM18eSw1u37gtYx7GeksJvZZ7m VDVsAaYSSPhM2Z9LqxMmUuks5gawXPRqAri+NATZE+x0mC9Yw5OLneRVneZHI51NX+FD C8Rg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ksxAq+zB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l22si743023ejz.239.2019.09.26.03.46.39; Thu, 26 Sep 2019 03:47:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ksxAq+zB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393839AbfIXRBn (ORCPT + 99 others); Tue, 24 Sep 2019 13:01:43 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:38714 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730215AbfIXRBk (ORCPT ); Tue, 24 Sep 2019 13:01:40 -0400 Received: by mail-lf1-f65.google.com with SMTP id u28so1977146lfc.5 for ; Tue, 24 Sep 2019 10:01:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3EOVspAXPFO/zP7zLE0+rol5UDYlko14RFhVFd10Q2Y=; b=ksxAq+zBjdwwrnH3JeNQN5NwYIoqkKJ/d3Bn9KLZgMkl+xH/Wm4Mm5cMg8qJgsyPbW u6ZxwQqSyJR4HbbXChiRgn9x1DEySEOmOO22P5jviHDghj4KHLKXg7YnjvYHWJ8WMCFg U+e34zrOhmCAcKeJ1Xrev6mNPqfboH+hGUcfH9qKyKlgQdr9Kga2ppE+DuwjujOhE0/F TiXRc6+/GtD2Xo0IWbH7Arqgbs/kx4APenttK+QHwOfzypNcikS9fNvWSKAyCNTSdLf5 P82I40rA+irHnaP/YtEFRkI3RrfDhKf/8bjn+mKFWCmmfnRYDAZEInIDwErjLuufs8Hj biDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3EOVspAXPFO/zP7zLE0+rol5UDYlko14RFhVFd10Q2Y=; b=ss2I7+QleSdLBRyDz4AyJpLQqV1DRZ+8fATj9oYoK2DG0sKoh6L+1wm5SFz8GZT+2V sYWFHNMDpJLbot/XRvShsTOaahuyAsv1+uvTD3NcuEZrOsIGiE5709+MPQNk/u81n6Z0 FtKtzdjcYKdJULMB0KBKhXVoQ4oo0RClnTv/K1dDXwcEaM0L6nw6q/8Fok97OZP6mUE+ oVQwI4+GboACpg6J1nDB6qKLGn4cK0acGFHXxIJN5Vq3mGHSdxT8wUQM8AH+2qtvgEs2 mB9fE6QyYjNhQZWlVJH+wEjDhVAdFtGH0sMGUT6Wt2NXNnaaILA9V1FdMhfB35zSGGUd XO5g== X-Gm-Message-State: APjAAAXMj6wv2LvN4tq4G7GutwGDrnEvHyF0AoOo2jpvoLHTrCmMRtBS iHF8ruyTgmGck/jjUvr4mZ8/6GTpsRH6hOT3/Bay X-Received: by 2002:a19:cc15:: with SMTP id c21mr2529427lfg.64.1569344497225; Tue, 24 Sep 2019 10:01:37 -0700 (PDT) MIME-Version: 1.0 References: <20190923155041.GA14807@codemonkey.org.uk> <2130348.JY4ctgmguH@x2> In-Reply-To: <2130348.JY4ctgmguH@x2> From: Paul Moore Date: Tue, 24 Sep 2019 13:01:26 -0400 Message-ID: Subject: Re: ntp audit spew. To: Steve Grubb Cc: linux-audit@redhat.com, Dave Jones , Linux Kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 24, 2019 at 9:19 AM Steve Grubb wrote: > On Monday, September 23, 2019 12:14:14 PM EDT Paul Moore wrote: > > On Mon, Sep 23, 2019 at 11:50 AM Dave Jones > wrote: > > > I have some hosts that are constantly spewing audit messages like so: > > > > > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset > > > old=2543677901372 new=2980866217213 [46897.591184] audit: type=1333 > > > audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > > > [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset > > > old=1850302393317 new=3190241577926 [48850.604008] audit: type=1333 > > > audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 > > > [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset > > > old=2453141035832 new=2372389610455 [49926.567273] audit: type=1333 > > > audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 > > > > > > This gets emitted every time ntp makes an adjustment, which is apparently > > > very frequent on some hosts. > > > > > > > > > Audit isn't even enabled on these machines. > > > > > > # auditctl -l > > > No rules > > > > [NOTE: added linux-audit to the CC line] > > > > There is an audit mailing list, please CC it when you have audit > > concerns/questions/etc. > > > > What happens when you run 'auditctl -a never,task'? > > Actually, "-e 0" should turn it off. There is a general problem where systemd > turns on auditing just because it can. The above rule just makes audit > processes inauditable, but does not affect the kernel originating events. The 'auditctl -s' output was lost when I trimmed/replied to DaveJ's original email (sorry), but it appears that audit_enabled is already '0': > # auditctl -s > enabled 0 > failure 1 > pid 0 > rate_limit 0 > backlog_limit 64 > lost 0 > backlog 0 > loginuid_immutable 0 unlocked Original post from DaveJ: * https://lore.kernel.org/lkml/20190923155041.GA14807@codemonkey.org.uk -- paul moore www.paul-moore.com