All geek questions in one place

NTP Audit - failed adjtimex command failure?

As part of the new PCI-DSS server deployment, I am setting up a fully controlled NTP change history. Everything works as expected, but now I see audit logs written every second related to time shift operations. After a long search, I still do not understand what is happening. The problem is displayed in / var / log / messages, where the audit message is constantly written.

My research shows that the message syscall "exit = 5" means that the clock was not correctly synchronized:

adjtimex () syscall response "#define TIME_BAD 5 / * synchronized clocks * /".

So, in general, it seems that the synchronization is synchronized correctly (as I understand it), but it is constantly changing - unexpected behavior with the polling interval set to 64 by default.

Can anyone suggest suggestions? I have included as many details as I can find below:

Check Time Rules:

[09:31] callum pci-fram-ipa1 ~ $ sudo cat /etc/audit/rules.d/audit_time_rules.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

System time and clock time:

[09:14] callum pci-fram-ipa1 ~ $ sudo clock;date
Thu 05 Jan 2017 09:14:01 GMT  -0.500708 seconds
Thu  5 Jan 09:14:01 GMT 2017

Example audit result:

[09:15] callum pci-fram-ipa1 ~ $ sudo tail -f /var/log/messages|grep time
Jan  5 09:15:25 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607725.390:2328215): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:26 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607726.390:2328216): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:27 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607727.390:2328217): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:28 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607728.390:2328218): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:29 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607729.390:2328219): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:30 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607730.390:2328220): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:31 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607731.390:2328221): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:32 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607732.390:2328222): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:33 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607733.390:2328223): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
Jan  5 09:15:34 pci-fram-ipa1 audispd: node=pci-fram-ipa1.x.net type=SYSCALL msg=audit(1483607734.390:2328224): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe85ddc320 a1=7ffe85ddc410 a2=861 a3=2 items=0 ppid=1 pid=11479 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"

Synchronization:

[09:15] callum pci-fram-ipa1 ~ $ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*neon.trippett.o 131.188.3.221    2 u  112  256  377   17.924   -0.704   0.252
+uno.alvm.me     193.79.237.14    2 u  196  256  377   19.737    0.505   0.436
+greenore.zeip.e 140.203.204.77   2 u  165  256  377   19.616    0.019   0.252
+devrandom.pl    87.124.126.49    3 u  124  256  377   19.675    0.371   0.572

Additional Information:

[09:17] callum pci-fram-ipa1 ~ $ ntpdc -c sysinfo
system peer:          neon.trippett.org
system peer mode:     client
leap indicator:       00
stratum:              3
precision:            -23
root distance:        0.03258 s
root dispersion:      0.04211 s
reference ID:         [178.62.6.103]
reference time:       dc188cec.d9ea15c5  Thu, Jan  5 2017  9:14:20.851
system flags:         auth ntp stats
jitter:               0.000320 s
stability:            0.000 ppm
broadcastdelay:       0.000000 s
authdelay:            0.000000 s
+4
source share
1 answer

It seems like this could be expected from behavior based on how often NTP interrupts hours.

From NTP Documentation :

5.1.3.2. How often is the system clock updated?

, ntpd . , , . adjtime(), ntpd every second ( , adjtimex, adjtimex , adjtime ADJ_OFFSET_SINGLESHOT: . adjtimex). ntp_adjtime(), , . . 5.2 Q: 5.1.6.1..

. , "" ( ) "" .

, , ntp - , ntp uid/auid.

, adjtimex man page , TIME_BAD, , , :

TIME_ERROR  The system clock is not synchronized to a reliable
               server.  This value is returned when any of the following
               holds true:

               *  Either STA_UNSYNC or STA_CLOCKERR is set.

               *  STA_PPSSIGNAL is clear and either STA_PPSFREQ or
                  STA_PPSTIME is set.

               *  STA_PPSTIME and STA_PPSJITTER are both set.

               *  STA_PPSFREQ is set and either STA_PPSWANDER or
                  STA_PPSJITTER is set.

               The symbolic name TIME_BAD is a synonym for TIME_ERROR,
               provided for backward compatibility.
+1

Source: https://habr.com/ru/post/1665847/

More articles:


All Articles