Re: ntp audit spew.
On Mon, Sep 23, 2019 at 5:00 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2019-09-23 12:14, Paul Moore wrote:
> On Mon, Sep 23, 2019 at 11:50 AM Dave Jones <davej(a)codemonkey.org.uk> wrote:
> >
> > I have some hosts that are constantly spewing audit messages like so:
> >
> > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset
old=2543677901372 new=2980866217213
> > [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq
old=-2443166611284 new=-2436281764244
Odd. It appears these two above should have the same serial number and
should be accompanied by a syscall record. It appears that it has no
context to update to connect the two records. Is it possible it is not
being called in a task context? If that were the case though, I'd
expect audit_dummy_context() to return 1...
Yeah, I'm a little confused with these messages too. As you pointed
out, the different serial numbers imply that the audit_context is NULL
and if the audit_context is NULL I would have expected it to fail the
audit_dummy_context() check in audit_ntp_log(). I'm looking at this
with tired eyes at the moment, so I'm likely missing something, but I
just don't see it right now ...
What is even more confusing is that I don't see this issue on my test systems.
Checking audit_enabled should not be necessary but might fix the
problem, but still not explain why we're getting these records.
I'd like to understand why this is happening before we start changing the code.
--
paul moore
www.paul-moore.com