Re: auditing ntpd
On Thursday, September 08, 2011 06:22:22 AM Vipin Rathor wrote:
Hi (again),
I've this rule in audit.rules file to keep a tab on system time change:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
adjtimex_time-change
And i'm continuously getting these messages in external logging server:
What does continuously mean? If ntpd is doing this once a minute and you have a rule
that does not exclude ntpd, then its doing the right thing.
What you might want to do is modify the rule to be:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -F uid!=ntp -k
adjtimex_time-change
This makes an exception for the ntp user account.
node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"
The reason you are getting audited is because the auid is root and they restarted
ntpd. By making an exception for ntp uid, it should quieten down the logs. But this
raises a secondary problem, you are allowing root logins which does mess up the audit
trail. Who was being root?
-Steve