Re: ntp audit spew.

Is this the thing where systemd is listening on the multicast netlink socket and causes everything to come out kmesg as well?

On Mon, 2019-09-23 at 15:49 -0400, Dave Jones wrote: > On Mon, Sep 23, 2019 at 02:57:08PM -0400, Paul Moore wrote: > > On Mon, Sep 23, 2019 at 12:58 PM Dave Jones < > > davej(a)codemonkey.org.uk&gt; wrote: > > > On Mon, Sep 23, 2019 at 12:14:14PM -0400, Paul Moore wrote: > > > > On Mon, Sep 23, 2019 at 11:50 AM Dave Jones < > > davej(a)codemonkey.org.uk&gt; wrote: > > > > > I have some hosts that are constantly spewing audit > > messages like so: > > > > > [46897.591182] audit: type=1333 audit(1569250288.663:220): > op=offset old=2543677901372 new=2980866217213 > > > > > > [46897.591184] audit: type=1333 audit(1569250288.663:221): > op=freq old=-2443166611284 new=-2436281764244 > > > > > > [48850.604005] audit: type=1333 audit(1569252241.675:222): > op=offset old=1850302393317 new=3190241577926 > > > > > > [48850.604008] audit: type=1333 audit(1569252241.675:223): > op=freq old=-2436281764244 new=-2413071187316 > > > > > > [49926.567270] audit: type=1333 audit(1569253317.638:224): > op=offset old=2453141035832 new=2372389610455 > > > > > > [49926.567273] audit: type=1333 audit(1569253317.638:225): > op=freq old=-2413071187316 new=-2403561671476 > > > > > > This gets emitted every time ntp makes an adjustment, which > > is apparently very frequent on some hosts. > > > > > > Audit isn't even enabled on these machines. > > > > > > > > > > # auditctl -l > > > > > No rules > > > > > > > > What happens when you run 'auditctl -a never,task'? That > > *should* > > > > > silence those messages as the audit_ntp_log() function has > > the > > > > > requisite audit_dummy_context() check. > > > > > > They still get emitted. > > > > > > > FWIW, this is the distro > > > > default for many (most? all?) distros; for example, check > > > > /etc/audit/audit.rules on a stock Fedora system. > > > > > > As these machines aren't using audit, they aren't running auditd > > either. > > > > Essentially: nothing enables audit, but the kernel side > > continues to log > > > > ntp regardless (no other audit messages seem to do this). > > > > What does your kernel command line look like? Do you have > > "audit=1" > > > somewhere in there? > > nope. > > ro root=LABEL=/ biosdevname=0 net.ifnames=0 fsck.repair=yes > systemd.gpt_auto=0 pcie_pme=nomsi ipv6.autoconf=0 erst_disable > crashkernel=128M console=tty0 console=ttyS1,57600 > intel_iommu=tboot_noforce > > Dave -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit