auditd: filter out ntp time adjust event

2023-04-06 00:00:00 +07:00 · 2023-04-06 00:00:00 +07:00 · d288c9ecfa
parent 9e12ff1ffb
commit d288c9ecfa
2 changed files with 17 additions and 6 deletions
--- a/roles/auditd/tasks/main.yml
+++ b/roles/auditd/tasks/main.yml
@ -1,14 +1,19 @@
 ---
- name: auditd | Copy configuration and rules
+- name: auditd | Copy auditd configuration
  copy:
-    src: '{{ item }}'
-    dest: /etc/audit/{{ item }}
+    src: auditd.conf
+    dest: /etc/audit/auditd.conf
+    mode: '644'
+    owner: root
+    group: root
+
+- name: auditd | Copy audit rules
+  template:
+    src: audit.rules.j2
+    dest: /etc/audit/audit.rules
    mode: '644'
    owner: root
    group: root
-  loop:
-    - auditd.conf
-    - audit.rules

 - name: auditd | Copy daily cron job to rotate audit log
  copy:
--- a/roles/auditd/templates/audit.rules.j2
+++ b/roles/auditd/templates/audit.rules.j2
@ -52,6 +52,12 @@
 ## This is not very interesting and wastes a lot of space if the server is public facing
 -a always,exclude -F msgtype=CRYPTO_KEY_USER

+# This prevents ntpd daemons from overwhelming the logs
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp
+{% if ntp_client == 'chrony' %}
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony
+{% endif %}
+
 ## High Volume Event Filter (especially on Linux Workstations)
 -a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
 -a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm