On Thursday, September 08, 2011 06:22:22 AM Vipin Rathor wrote: > Hi (again), > I've this rule in audit.rules file to keep a tab on system time change: > -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k > adjtimex_time-change > > And i'm continuously getting these messages in external logging server:
What does continuously mean? If ntpd is doing this once a minute and you have a rule that does not exclude ntpd, then its doing the right thing. What you might want to do is modify the rule to be: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -F uid!=ntp -k adjtimex_time-change This makes an exception for the ntp user account. > node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763): > arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861 > a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38 > suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352 > comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change" The reason you are getting audited is because the auid is root and they restarted ntpd. By making an exception for ntp uid, it should quieten down the logs. But this raises a secondary problem, you are allowing root logins which does mess up the audit trail. Who was being root? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
