I have some hosts that are constantly spewing audit messages like so: [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926 [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455 [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476
This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts. Audit isn't even enabled on these machines. # auditctl -l No rules # auditctl -s enabled 0 failure 1 pid 0 rate_limit 0 backlog_limit 64 lost 0 backlog 0 loginuid_immutable 0 unlocked Asides from the log spew, why is this code doing _anything_ when audit isn't enabled ? Something like this: diff --git a/kernel/audit.c b/kernel/audit.c index da8dc0db5bd3..1291d826c024 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2340,6 +2340,9 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, struct audit_buffer *ab; va_list args; + if (audit_initialized != AUDIT_INITIALIZED) + return; + ab = audit_log_start(ctx, gfp_mask, type); if (ab) { va_start(args, fmt); Might silence the spew, but I'm concerned that the amount of work that audit is doing on an unconfigured machine might warrant further investigation. ("turn off CONFIG_AUDIT" isn't an option unfortunately, as this is a one-size-fits-all kernel that runs on some other hosts that /do/ have audit configured) Dave