On Tue, Oct 11, 2016 at 12:07 PM, Steve Grubb <[email protected]> wrote: > On Monday, October 10, 2016 2:48:23 PM EDT L. A. Walsh wrote: >> Steve Grubb wrote: >> > But ntpd overwhelms logs but chronyd might be marginally better. See bz >> > https://bugzilla.redhat.com/show_bug.cgi?id=918127 >> >> --- >> I took a gander at said bugzilla num, and found a minor surprise in that >> there >> Miroslav Lichvar said: >> >> "You can use ntpd from the ntp package instead of chrony, it >> shouldn't call adjtimex as often as chronyd does." >> --- >> >> I.e. the exact opposite of your (Steve)'s statement. Wondered if that was >> a misread or newer information...<*idle curiosity*>. >> >> Either way sounds like it would be "nice" to differentiate a "read" from >> a "write" in this syscall if it is to be useful. > > I agree. But the problem with this syscall is that the operation is part of a > data structure that is passed by address to the kernel. There currently is no > good way to filter its uses because the audit subsystem can only look at the > actual argument passed. I think there may be an issue opened for this on > github.
Yep, link below: * https://github.com/linux-audit/audit-kernel/issues/10 -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
