Hi, I have what I hope to be a quick question regarding auditing ntpd. I am looking at my auditd log file and I see this same entry being repeated every second:
type=SYSCALL msg=audit(1475012493.972:5325): arch=c000003e syscall=159 success=yes exit=0 a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key="time-change" type=SYSCALL msg=audit(1475012494.971:5326): arch=c000003e syscall=159 success=yes exit=0 a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key="time-change" type=SYSCALL msg=audit(1475012495.972:5327): arch=c000003e syscall=159 success=yes exit=0 a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key="time-changeā This is generating large amounts of log data. I am not an expert in auditd log analysis. Is this expected behavior? I am unsure of what the key time-change value of this log data is, and am wondering if this indicates some sort of misconfiguration or problem with ntpd. From looking at the output of tcpdump it does not look like I am polling every second, so I am wondering why this activity is occurring. If anybody could advise on how to decipher these log entries I would appreciate it. Thank you for your help and advisement. Best, Dan Sullivan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
