Re: ntp audit spew.

On Mon, Sep 23, 2019 at 12:14:14PM -0400, Paul Moore wrote: > On Mon, Sep 23, 2019 at 11:50 AM Dave Jones <davej(a)codemonkey.org.uk&gt; wrote: > > > > I have some hosts that are constantly spewing audit messages like so: > > > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 > > [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > > [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926 > > [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 > > [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455 > > [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 > > > > This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts. > > > > > > Audit isn't even enabled on these machines. > > > > # auditctl -l > > No rules > > What happens when you run 'auditctl -a never,task'? That *should* > silence those messages as the audit_ntp_log() function has the > requisite audit_dummy_context() check. They still get emitted. > FWIW, this is the distro > default for many (most? all?) distros; for example, check > /etc/audit/audit.rules on a stock Fedora system. As these machines aren't using audit, they aren't running auditd either. Essentially: nothing enables audit, but the kernel side continues to log ntp regardless (no other audit messages seem to do this).