linux audit - exclude a process that updates the time

Posted by user185704 on Server Fault See other posts from Server Fault or by user185704
Published on 2012-06-01T14:47:34Z Indexed on 2012/06/25 9:18 UTC
Read the original article Hit count: 405

Filed under:
|

I have set my auditd rules to log when the system time is changed

However, our servers are VMs and thus have problems with the time drifting out. We needed to solve this issue so we used a VMware tool to regularly synchronize the time.

My problem now is that my audit logs are overwhelmed with time change entries like this:

Jun  1 15:08:39 ***** audispd: node=****** type=SYSCALL
msg=audit(1338559719.053:344291):
arch=c000003e syscall=159 success=yes exit=5 a0=7ffff2084050 a1=0 a2=144b
a3=485449575f4c4c55 items=0 ppid=1 pid=1348 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="vmtoolsd" exe="/usr/lib/vmware-tools/bin64/appLoader" key="time_change"

How can I exclude this vmware tool from the audit, but still capture a user changing the time?

Here are my current audit rules to capture time changes:

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time_change
-a always,exit -F arch=b32 -S clock_settime -k time_change

© Server Fault or respective owner

Related posts about linux

Related posts about audit