* auditing ntpd
@ 2011-09-08 10:22 Vipin Rathor
2011-09-08 13:24 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Vipin Rathor @ 2011-09-08 10:22 UTC (permalink / raw)
To: linux-audit
Hi (again),
I've this rule in audit.rules file to keep a tab on system time change:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
adjtimex_time-change
And i'm continuously getting these messages in external logging server:
node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"
After strace'ing the ntpd, I can see the 'adjtimex' system call
getting called continuously:
# strace -p 2551623
Process 2551623 attached - interrupt to quit
select(28, [16 17 18 19 20 21 22 23 24 25 26 27], NULL, NULL, {0,
663331}) = 0 (Timeout)
adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0,
maxerror=16000000, esterror=16, status=STA_UNSYNC|0x2000, constant=0,
precision=1, tolerance=32768000, time={1315477226, 286574975},
tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0,
calcnt=0, errcnt=0, stbcnt=0}) = 5 (TIME_ERROR)
select(28, [16 17 18 19 20 21 22 23 24 25 26 27], NULL, NULL, {0,
994495}) = 0 (Timeout)
adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0,
maxerror=16000000, esterror=16, status=STA_UNSYNC|0x2000, constant=0,
precision=1, tolerance=32768000, time={1315477227, 282047022},
tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0,
calcnt=0, errcnt=0, stbcnt=0}) = 5 (TIME_ERROR)
.....
.....
Any pointers on why is this happening? How to resolve this?
I'm using RHEL 6.1 with these audit rpms:
audit-libs-2.1-5.el6.x86_64
audit-2.1-5.el6.x86_64
audispd-plugins-2.1-5.el6.x86_64
Thanks in advance for any help in this regard.
--
-Rathor
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: auditing ntpd
2011-09-08 10:22 auditing ntpd Vipin Rathor
@ 2011-09-08 13:24 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2011-09-08 13:24 UTC (permalink / raw)
To: linux-audit
On Thursday, September 08, 2011 06:22:22 AM Vipin Rathor wrote:
> Hi (again),
> I've this rule in audit.rules file to keep a tab on system time change:
> -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
> adjtimex_time-change
>
> And i'm continuously getting these messages in external logging server:
What does continuously mean? If ntpd is doing this once a minute and you have a rule
that does not exclude ntpd, then its doing the right thing.
What you might want to do is modify the rule to be:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -F uid!=ntp -k
adjtimex_time-change
This makes an exception for the ntp user account.
> node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
> arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
> a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
> suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
> comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"
The reason you are getting audited is because the auid is root and they restarted
ntpd. By making an exception for ntp uid, it should quieten down the logs. But this
raises a secondary problem, you are allowing root logins which does mess up the audit
trail. Who was being root?
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-09-08 13:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-08 10:22 auditing ntpd Vipin Rathor
2011-09-08 13:24 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox