Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3836446imm; Mon, 20 Aug 2018 05:40:33 -0700 (PDT) X-Google-Smtp-Source: AA+uWPziXXSDzxJhlsydGicOMpeTAsvL1spGOYe3DVZo65TfqLT8N6Yy2/uuBQcaFHY6ZVGnuFsa X-Received: by 2002:a17:902:934c:: with SMTP id g12-v6mr28332769plp.67.1534768833797; Mon, 20 Aug 2018 05:40:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534768833; cv=none; d=google.com; s=arc-20160816; b=KdK/aFlOtZgb66VSuBlV9VexwlGY6b4UKNBuH598d3KVWTKMIeCdUovJ6LiDnjbce8 fhnYXRQewG3UxLYd7MZaNl/Oy4/5EmUjleCEZ9KMS6MDHtqqL48L2okrPXfamedAaAcx nZBmD/Idt50EzfwU+JMov44f/lNXR9eImV/SNoK0SPgfm/Atw/uKi0imYLYZmG0m5U4N EyS/uVUTI6xI6z/jNti0GMXUp4DMuEawt7ichRx8lXQ0GRbnFAQ2VYFVUst7uHaH68hV dVkApMAcV3ihfDXne1BpNAq1HYw6x2LSA0d+ehgq3h7q1l2DflvPP0tiXBit6/LIrwft stwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SVkHq9VR9hc1OdQdOmdz5cFUDDthkVfmANrWwQ22oag=; b=p+oV2AcEZEOAx+Irlf8ZtKfp2bb1N0VRPcVEEZHnNpuRhxVOjbW/hPS45mRZ5Dg+Os n/wIe6NzHo4DbEFmeCVmd3Htc4BKW1EpAt8K92vGLUM9Wz+XO5xaFLJezET2WGKSCeuM 87tK/kxZlZCww/5swqf8IPp5FXBTWGe80pbi4TC8qS3i/RxCgwND1kefuyHyVqPq5qmo ytvzBEadp1sXtpTF9fBmdL5zXt7djW86kMdKabmceP3RMy+AvmFJHYWCZhclHRvhF8c2 TrwO2dlRm02qxKREYRO02A+W/P1MZ4k1RRugx0IjrqJYkvL2LN1vQEqCc8IIECflVjbc y4oA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t196-v6si9244611pgc.308.2018.08.20.05.40.19; Mon, 20 Aug 2018 05:40:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726798AbeHTPyJ (ORCPT + 99 others); Mon, 20 Aug 2018 11:54:09 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:52464 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726549AbeHTPyJ (ORCPT ); Mon, 20 Aug 2018 11:54:09 -0400 Received: by mail-wm0-f66.google.com with SMTP id o11-v6so14063491wmh.2 for ; Mon, 20 Aug 2018 05:38:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=SVkHq9VR9hc1OdQdOmdz5cFUDDthkVfmANrWwQ22oag=; b=ICrX0/jl5hG3ME6iphPd1n58lfFTJ7JaYebwymyFurcybaUGusN4N+N1IcD6+C3ELc TO/lIn3NQv85Ik4uVq3N7slrfBebHVay0jMszvk1RjqVV3Rf9ShOq3wYRaf89cJEgjrk J5pAtQOh2VIqpk65lR8smXw6D3QGmZKevGvLPaQx/PF3bkxD/Z1VAm2oXUjeLlWSzpF8 TFUBpIWEsHehM/s0eMb0R+M9RtV4hEDB8TS8grr87ob6u9QbtDnxouGDMZJsoqAhWnla U5MUpl3piNYCjp/L3jPhtOKbh6n9k1759dlTZ/UsIslA6MpQyScICwCMlqdRLZfDxCrO j6vQ== X-Gm-Message-State: APzg51DGJyv2lc4lTY5SMD/MaeebeKS0LxsGxsvwSfV/sQNZZBSY4+kr bdDDH3AlkzR660TF1gdpOkLGUA== X-Received: by 2002:a1c:a5c9:: with SMTP id o192-v6mr971506wme.3.1534768718813; Mon, 20 Aug 2018 05:38:38 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id v2-v6sm496917wme.36.2018.08.20.05.38.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 20 Aug 2018 05:38:38 -0700 (PDT) From: Ondrej Mosnacek To: linux-audit@redhat.com Cc: Paul Moore , Richard Guy Briggs , Steve Grubb , John Stultz , Thomas Gleixner , Stephen Boyd , linux-kernel@vger.kernel.org, Ondrej Mosnacek Subject: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls Date: Mon, 20 Aug 2018 14:38:16 +0200 Message-Id: <20180820123818.27547-1-omosnace@redhat.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, this patchset implements more detailed auditing of the adjtimex(2) syscall in order to make it possible to: a) distinguish modifying vs. read-only calls in the audit log b) reconstruct from the audit log what changes were made and how they have influenced the system clock The main motivation is to be able to detect an adversary that tries to confuse the audit timestamps by changing system time via adjtimex(2), but at the same time avoid flooding the audit log with records of benign read-only adjtimex(2) calls. @John or other timekeeping/NTP folks: We had a discussion on the audit ML on which of the internal timekeeping/NTP variables we should actually log changes for. We are only interested in variables that can (directly or indirectly) cause noticeable changes to the system clock, but since we have only limited understanding of the NTP code, we would like to ask you for advice on which variables are security relevant. Right now, the patchset is conservative and logs all changes that can be done via adjtimex(2): - direct injection of timekeeping offset (obviously relevant) - adjustment of timekeeping's TAI offset - NTP value adjustments: - time_offset (probably important) - time_freq (maybe not important?) - time_status (likely important, can cause leap second injection) - time_maxerror (maybe not important?) - time_esterror (maybe not important?) - time_constant (???) - time_adjust (sounds important) - tick_usec (???) Could you please give us some hints on the effect of changing these variables and whether you think that it is important to log their changes? Thanks a lot! GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10 Changes in v4: - Squashed first two patches into one - Rename ADJNTPVAL's "type" field to "op" to align with audit record conventions - Minor commit message editing - Cc timekeeping/NTP people for feedback v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html Changes in v3: - Switched to separate records for each variable - Both old and new value is now reported for each change - Injecting offset is reported via a separate record (since this offset consists of two values and is added directly to the clock, i.e. it doesn't make sense to log old and new value) - Added example records produced by chronyd -q (see the commit message of the last patch) v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html Changes in v2: - The audit_adjtime() function has been modified to only log those fields that contain values that are actually used, resulting in more compact records. - The audit_adjtime() call has been moved to do_adjtimex() in timekeeping.c - Added an additional patch (for review) that simplifies the detection if the syscall is read-only. v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html Ondrej Mosnacek (2): audit: Add functions to log time adjustments timekeeping/ntp: Audit clock/NTP params adjustments include/linux/audit.h | 21 ++++++++++++++++ include/uapi/linux/audit.h | 2 ++ kernel/auditsc.c | 15 ++++++++++++ kernel/time/ntp.c | 50 ++++++++++++++++++++++++++++++-------- kernel/time/timekeeping.c | 3 +++ 5 files changed, 81 insertions(+), 10 deletions(-) -- 2.17.1