linux audit - exclude a process that updates the time
Posted
by
user185704
on Server Fault
See other posts from Server Fault
or by user185704
Published on 2012-06-01T14:47:34Z
Indexed on
2012/06/25
9:18 UTC
Read the original article
Hit count: 405
I have set my auditd rules to log when the system time is changed
However, our servers are VMs and thus have problems with the time drifting out. We needed to solve this issue so we used a VMware tool to regularly synchronize the time.
My problem now is that my audit logs are overwhelmed with time change entries like this:
Jun 1 15:08:39 ***** audispd: node=****** type=SYSCALL
msg=audit(1338559719.053:344291):
arch=c000003e syscall=159 success=yes exit=5 a0=7ffff2084050 a1=0 a2=144b
a3=485449575f4c4c55 items=0 ppid=1 pid=1348 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="vmtoolsd" exe="/usr/lib/vmware-tools/bin64/appLoader" key="time_change"
How can I exclude this vmware tool from the audit, but still capture a user changing the time?
Here are my current audit rules to capture time changes:
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time_change
-a always,exit -F arch=b32 -S clock_settime -k time_change
© Server Fault or respective owner