Re: ntp audit spew.

On Monday, September 23, 2019 12:14:14 PM EDT Paul Moore wrote: > On Mon, Sep 23, 2019 at 11:50 AM Dave Jones <davej(a)codemonkey.org.uk&gt; wrote: > > I have some hosts that are constantly spewing audit messages like so: > > > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset > > old=2543677901372 new=2980866217213 [46897.591184] audit: type=1333 > > audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > > [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset > > old=1850302393317 new=3190241577926 [48850.604008] audit: type=1333 > > audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 > > [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset > > old=2453141035832 new=2372389610455 [49926.567273] audit: type=1333 > > audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 > > > > This gets emitted every time ntp makes an adjustment, which is apparently > > very frequent on some hosts. > > > > > > Audit isn't even enabled on these machines. > > > > # auditctl -l > > No rules > > [NOTE: added linux-audit to the CC line] > > There is an audit mailing list, please CC it when you have audit > concerns/questions/etc. > > What happens when you run 'auditctl -a never,task'? Actually, "-e 0" should turn it off. There is a general problem where systemd turns on auditing just because it can. The above rule just makes audit processes inauditable, but does not affect the kernel originating events.

# auditctl -s enabled 0 failure 1 pid 0 rate_limit 0 backlog_limit 64 lost 0 backlog 0 loginuid_immutable 0 unlocked