Re: Question regarding ntpd

Thank you for chiming in, Ryan. I saw a thread describing a similar strategy out there, what was confusing me was really two fold; 1) the entries being generated every second (i.e. outside of whatever perceived polling interval was configured). 2) the entries apparently not having any meaningful information (if presumably some sort of adjustment was being made); perhaps the -i switch Steve provided will account for this. I think the responses provided are enough to point me in the right direction. Thank you for your help. Dan On Sep 27, 2016, at 7:21 PM, Ryan Sawhill <rsawhill@redhat.com<mailto:rsawhill@redhat.com>> wrote: To say the thing that Steve knows but didn't explicitly point out: The "time-change" key is used in the standard STIG rules. If you can get the clearance from the powers-that-be in your org, note that the auditctl rule format allows you to exclude time-change events generated by something that you want to trust, e.g., ntpd. I wrote an article for this exact issue recently on the Red Hat Customer Portal. See: How to exclude specific users, groups, or services when using auditd to audit syscalls<https://access.redhat.com/solutions/2477471> -- Linux-audit mailing list Linux-audit@redhat.com<mailto:Linux-audit@redhat.com> https://www.redhat.com/mailman/listinfo/linux-audit ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ********************************************************************************