Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp2232140ybn; Thu, 26 Sep 2019 08:52:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqyzU642oYVzmHSR2p7Kef66ZcKTBp0q0AdkAX7Z/16l/1v6jbBjxC6gtYtfyOSDOZyFNwMO X-Received: by 2002:a50:f603:: with SMTP id c3mr4364370edn.208.1569513163107; Thu, 26 Sep 2019 08:52:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569513163; cv=none; d=google.com; s=arc-20160816; b=BKB3X2I+xevH1YvlKrA0XWNV9Xh0K0DMCIL+Dt6Z6wY97zI9GHenKigzZEHq/AHLnK 1jWKZ9lyuisw3WRcZxpMkQAOwdmMAvhX0JkQKbrjt+gja330s9aS5aXBhQ2mgeK70T+x 82M/Hs1oBF7ovsKIi11ant6Uhu/IRlPGxeJmwihkdcofDpDLEQZJl0DAFC0NtgvC+w2n CP4HXA50CVyOzFhVjqiIHMH7LQ27Mvnrhy6lXwyba2B/+B0oDi/nbk+HvSvr+R0ssB0D 3BYrb6W5oAxcW+6neA4K8ZftNbrGB+zvqtggGqc7/PPJKoo08OPKNIzCu6dIFVk/pDUR 1vXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KC2Nd1YvSxVp+ypAR2gexRbTcYIPCDvOfmcETC4TvmY=; b=Et2SXO45gHk9Dlzhp3FHqfw5WIy6c5+DOxpR+hqvXehfH9jdvvYITjHtHbYR4pHIxl KgLPGMMrpHUlBdGlIoJMGAPUquBoESkY3ZhuygjfZsYZR5OjsTkUn+PLPeKQdIqL83Ef D3zsyXc3M6CbFbUBbui8+ZKzBi3yFHXkpjYW3G4Levrgbrldy7rNV/ThYtskwrm3n5OT t+mjMMOlO7sUW1Lxhu1HNpl3vM8A2l54BG6r0x1Fdo09R1Lz8j5pRtcJM31hb0haBO/G CAfSvONaWvHAYGzBE/987/6amusYbL6yX3bPWLfOaXYuS04hAagLjoyB2BEd5bNsIiiq iQ+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="MD/lsc1P"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id qq19si1239257ejb.85.2019.09.26.08.52.18; Thu, 26 Sep 2019 08:52:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="MD/lsc1P"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727305AbfIZPuW (ORCPT + 99 others); Thu, 26 Sep 2019 11:50:22 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:44822 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727147AbfIZPuW (ORCPT ); Thu, 26 Sep 2019 11:50:22 -0400 Received: by mail-lj1-f196.google.com with SMTP id m13so2680533ljj.11 for ; Thu, 26 Sep 2019 08:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KC2Nd1YvSxVp+ypAR2gexRbTcYIPCDvOfmcETC4TvmY=; b=MD/lsc1PmexES60c5rwL/OcBjrXwSz+Zd/Dyiw/BmhqrVGdAPVejWwpWFQZCxnohBY sKYYSS7tPVopGEri512NtdRXaUfp7jscCaKwH2AQ5qLtTH6twvJCi3MTYUnuxv8BvoCC +daFYXmUTObudzykh3SlU6XWdXdXFfXFAo7x+0wszhIsJ+763FC5SCikMynoiMKhlcOc MPgqEn3P6uPJxR1dCT6z24WKbo8twiPXl5Qps05rbju6prC3YWZe2/qSm8ZVOOR+voDU AT1glNxlOWUPILa45m4wCMjQpzTb8PR1MLnMTAkcRXF2tqKzRjr88Qy5sSJ0fdEGZYSn ubpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KC2Nd1YvSxVp+ypAR2gexRbTcYIPCDvOfmcETC4TvmY=; b=GY1gxJXoDTRApYFP6dByez27w5I1vB/5oZyMuKNIijVDYwWv68mdrsWtl186grVr5O B2GxQiAvEoWMv0H/lcj3lJF5HS5Zwcm8FKQCwX4rdIRk7wZF41tzCO87hdHX6SVFGzMb 6uPFNGypq/xci0gISsOWhFaTHcj1ic0qQ0i+Xs5tbrOzroSOPz1gpk1+hfJ3Hmf5MAFH LMJFnpvKtsVTQx3o2JdEmRVrrF3lPTlDs10Ii8wB7st9v1yZzGZp/KUTJ9Ll7fKtgUmi czf7UZSI8ZE8Fw8zmNBglQ77XNaDtG77Mzlp+8HTjPZugyMKt/oD6l0qOKy8Qa132f/R r0FA== X-Gm-Message-State: APjAAAULUhj4lfhc5j4fV2hVmUR+Vv07XMGwnLCNw2iNW/xJ8GeJUo77 5fQn5Xkz9xXMM/B3FfYZNCeJi3L8HEy9R1HZP+sJ X-Received: by 2002:a2e:9b5a:: with SMTP id o26mr3112055ljj.158.1569513018927; Thu, 26 Sep 2019 08:50:18 -0700 (PDT) MIME-Version: 1.0 References: <20190923155041.GA14807@codemonkey.org.uk> <20190923210021.5vfc2fo4wopennj5@madcap2.tricolour.ca> <20190924135046.kkt5hntbjpcampwr@madcap2.tricolour.ca> In-Reply-To: From: Paul Moore Date: Thu, 26 Sep 2019 11:50:07 -0400 Message-ID: Subject: Re: ntp audit spew. To: Dave Jones Cc: linux-audit@redhat.com, Richard Guy Briggs , Linux Kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 24, 2019 at 1:05 PM Paul Moore wrote: > On Tue, Sep 24, 2019 at 9:50 AM Richard Guy Briggs wrote: > > On 2019-09-23 23:01, Paul Moore wrote: > > > On Mon, Sep 23, 2019 at 5:00 PM Richard Guy Briggs wrote: > > > > On 2019-09-23 12:14, Paul Moore wrote: > > > > > On Mon, Sep 23, 2019 at 11:50 AM Dave Jones wrote: > > > > > > > > > > > > I have some hosts that are constantly spewing audit messages like so: > > > > > > > > > > > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 > > > > > > [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > > > > > > > > Odd. It appears these two above should have the same serial number and > > > > should be accompanied by a syscall record. It appears that it has no > > > > context to update to connect the two records. Is it possible it is not > > > > being called in a task context? If that were the case though, I'd > > > > expect audit_dummy_context() to return 1... > > > > > > Yeah, I'm a little confused with these messages too. As you pointed > > > out, the different serial numbers imply that the audit_context is NULL > > > and if the audit_context is NULL I would have expected it to fail the > > > audit_dummy_context() check in audit_ntp_log(). I'm looking at this > > > with tired eyes at the moment, so I'm likely missing something, but I > > > just don't see it right now ... > > > > > > What is even more confusing is that I don't see this issue on my test systems. > > > > > > > Checking audit_enabled should not be necessary but might fix the > > > > problem, but still not explain why we're getting these records. > > > > > > I'd like to understand why this is happening before we start changing the code. > > > > Absolutely. > > > > This looks like a similar issue to the AUDIT_NETFILTER_CFG issue where > > we get a lone record unconnected to a syscall when one of the netfilter > > table initialization (ipv4 filter) is linked into the kernel rather than > > compiled as a module, so it is run in kernel context at boot rather than > > in user context as a module load later. This is why I ask if it is > > being run by a kernel thread rather than a user task, perhaps using a > > syscall function call internally. > > I don't see where in the code that could happen, but I agree that it > looks like it; maybe I'm just missing a code path somewhere. > > Is anyone else seeing these records? Granted my audit test systems > are running chrony, not ntp, but the syscalls/behaviors should be > similar and I can't seem to recreate this. Dave, can you provide any additional information on the systems where you are seeing this? Kernel, userspace, distro, relevant configs, etc. -- paul moore www.paul-moore.com