Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp885550imm; Wed, 22 Aug 2018 14:29:30 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzNnNcIUtEjmekh8RzzbNA/BfR3xR52KbgeI5mCvkJ3VSKEfD4ibXTyPBkHqq+lpXEP02a8 X-Received: by 2002:a63:1506:: with SMTP id v6-v6mr10811034pgl.150.1534973370628; Wed, 22 Aug 2018 14:29:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534973370; cv=none; d=google.com; s=arc-20160816; b=FB2QpeZU17Her6Tjy3X76NiaKVYh+zh2PTLLikzYrUqerLULcm+20mMTnMydsDHnRx 7NqeKIodb8UaIihnP+OvqnQS8itcJzzaJFGViaMssbUbwiY1FSNZ00HV2vXtc1Fddjvw z3wjfsXDxJ3NwHYxHQ02LXyuvphLcd+voEL0JuWX7kuMPpylvDAzIqQbt01cHNrZ7wIB paHRXFUx40KR6umpspSZhNnPpaqcXcCgAoMFRhxQKlLYZvFB4//uREwEgJktL86WnvIP Uq+nzzPYlWDxXhl28E9P4gUYSqiIMKx3zxYsjF7tyOBV1yeqFPfg3kzYXWrrCfJUOxbf TWqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=Cm+nAL3IIhx6QRZZYR+YGJCmHAXx9DJF+n4BLRzP6dU=; b=s/9JboSjmL1xi7W/eUTrVGSIquWLvFtFr/yCJXn3agoA6iDvDtRvmA+kGOrhUVGCIJ oQNhubuJSJJYMlky8Ohtr0LplweO6lvnaM1BHl8cOVM6/KAKGrBYS0cfsNaA8iKMaRT2 KO3nZ3AZXLsOjNd08RjRmjFxBcqoASZXhNT1QMPnwYDAyPCscI38JuhKxgau8ZS3ZtUZ v1TjqUc5ecBmYhjHopYC63Q2xNALkXZ9gz5S2hbJxN50fp+f6Ip4oDPtlS9OtMpo7Xil akX89OfvQ8c9llkOF3xHKNXgpD5/gViIQ5KU5RRibIY81vlTrsZJV6zuBsHoG9ofBMK1 noOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=d+aV+3wj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k11-v6si2422250pgj.688.2018.08.22.14.29.13; Wed, 22 Aug 2018 14:29:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=d+aV+3wj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727522AbeHWAyE (ORCPT + 99 others); Wed, 22 Aug 2018 20:54:04 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:34160 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727046AbeHWAyD (ORCPT ); Wed, 22 Aug 2018 20:54:03 -0400 Received: by mail-lf1-f68.google.com with SMTP id g9-v6so2497631lfh.1 for ; Wed, 22 Aug 2018 14:27:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cm+nAL3IIhx6QRZZYR+YGJCmHAXx9DJF+n4BLRzP6dU=; b=d+aV+3wjv3KVmrx0Ry7/8GLpj0tQOudnHMs23HeK63bguB/flgbeU3wpoIk2xipKuZ s+DU3hHcvw55XS5/5737+IDSCsMRvaIoOkmlmfvVze98Do/t1g8PrddMB6aPnfbw2HUd xXu/OBb9wUPO7Pt1zX9g3DZrjJ+7CoJD/QZI+KmuuwxVF+ZFxHh9+UW6ac2FJgl+A8Wp 6aCAiYmPNKdyft8POsrXx9XE4s6uLfrbmH5D0HrBijqqHg2eznP6IGb/jqo0q1gf8+pl TuJCM14NdBsasy0tM2J8EJddEcsYDLHggz3JQGugBHn3QwwNByAAb7woyqU48p+UMX+X nu0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cm+nAL3IIhx6QRZZYR+YGJCmHAXx9DJF+n4BLRzP6dU=; b=fiHFHKAPxb2S5/3bDw3ANIr2X869X9npT6H5BCfnGciRXgUhaTNWahO1qHyWwqPYih yIBcOkkiRWAfJ2HOhVgl51ETOFoj58q5+oJvKWCAIBkSstRXDWTuAReiIHEIfjhEr+Ma u37vPshcywx/kgSpDdZthKW5PaWZk4gvKwAUn7SHXjWbFouXJAi+nmCplxnQ2KpYJHn9 IzISj+qVvKbRa2sFWn8Pub9Yy6ncvpLrtXUn6NMEiyMiNZpfLU+a6l6HQhJIRQiTgxLL aCaSDHBWUJZJuzwCLYvm1aKUy2O8UNgLKELdl7VX/WdGb0GWsBTxgs3Q83mAgcgu1dT9 PP+g== X-Gm-Message-State: APzg51CvlQ68FZFwrhWMAGz1VKxFg6yx9S2nwtbFDO31UJ26OuvZSr8A aocfG7CelygMBeuJNvwUYrlSDJ2738e/uef6Xp/cag4= X-Received: by 2002:a19:14e6:: with SMTP id 99-v6mr5673367lfu.26.1534973248688; Wed, 22 Aug 2018 14:27:28 -0700 (PDT) MIME-Version: 1.0 References: <20180820123818.27547-1-omosnace@redhat.com> <20180821072114.GC23069@localhost> In-Reply-To: <20180821072114.GC23069@localhost> From: Paul Moore Date: Wed, 22 Aug 2018 17:27:17 -0400 Message-ID: Subject: Re: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls To: mlichvar@redhat.com, omosnace@redhat.com Cc: tglx@linutronix.de, linux-audit@redhat.com, rgb@redhat.com, sgrubb@redhat.com, john.stultz@linaro.org, sboyd@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar wrote: > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote: > > > @John or other timekeeping/NTP folks: We had a discussion on the audit > > > ML on which of the internal timekeeping/NTP variables we should actually > > > log changes for. We are only interested in variables that can (directly > > > or indirectly) cause noticeable changes to the system clock, but since we > > > have only limited understanding of the NTP code, we would like to ask > > > you for advice on which variables are security relevant. > > I guess that mostly depends on whether you consider setting the clock > to run faster or slower than real time to be an important event for > the audit. > > > > - NTP value adjustments: > > > - time_offset (probably important) > > This can adjust the clock by up to 0.5 seconds per call and also speed > it up or slow down by up to about 0.05% (43 seconds per day). This seems worthwhile. > > > - time_freq (maybe not important?) > > This can speed up or slow down by up to about 0.05%. This too. > > > - time_status (likely important, can cause leap second injection) > > Yes, it can insert/delete leap seconds and it also enables/disables > synchronization of the hardware real-time clock. This one as well. > > > - time_maxerror (maybe not important?) > > > - time_esterror (maybe not important?) > > These two change the error estimates that are reported to applications > using ntp_gettime()/adjtimex(). If an application was periodically > checking that the clock is synchronized with some specified accuracy > and setting the maxerror to a larger value would cause the application > to abort, would it be an important event in the audit? Since these don't really affect the time, just the expected error, I'm not sure this is important. > > > - time_constant (???) > > This controls the speed of the clock adjustments that are made when > time_offset is set. Probably not important for the audit. Agreed. I think we can skip this. > > > - time_adjust (sounds important) > > This is similar to time_freq. It can temporarily speed up or slow down > the clock by up to 0.05%. Like time_freq, we should probably log this too. > > > - tick_usec (???) > > This is a more extreme version of time_freq. It can speed up or slow > down the clock by up to 10%. Let's audit this one too. -- paul moore www.paul-moore.com