Question regarding ntpd
Hi,
I have what I hope to be a quick question regarding auditing ntpd. I am looking at my
auditd log file and I see this same entry being repeated every second:
type=SYSCALL msg=audit(1475012493.972:5325): arch=c000003e syscall=159 success=yes exit=0
a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357 auid=4294967295 uid=38 gid=38
euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295
comm="ntpd" exe="/usr/sbin/ntpd" key="time-change"
type=SYSCALL msg=audit(1475012494.971:5326): arch=c000003e syscall=159 success=yes exit=0
a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357 auid=4294967295 uid=38 gid=38
euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295
comm="ntpd" exe="/usr/sbin/ntpd" key="time-change"
type=SYSCALL msg=audit(1475012495.972:5327): arch=c000003e syscall=159 success=yes exit=0
a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357 auid=4294967295 uid=38 gid=38
euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295
comm="ntpd" exe="/usr/sbin/ntpd" key="time-changeā
This is generating large amounts of log data. I am not an expert in auditd log analysis.
Is this expected behavior? I am unsure of what the key time-change value of this log data
is, and am wondering if this indicates some sort of misconfiguration or problem with ntpd.
From looking at the output of tcpdump it does not look like I am polling every second, so
I am wondering why this activity is occurring. If anybody could advise on how to
decipher these log entries I would appreciate it. Thank you for your help and
advisement.
Best,
Dan Sullivan
********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.
Thank you
University of Chicago Medicine and Biological Sciences
********************************************************************************