Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1394185imm; Thu, 23 Aug 2018 02:16:26 -0700 (PDT) X-Google-Smtp-Source: AA+uWPw0+gD41jlJWwSBvh04dtfbb9uYbf+AG7dtm9zoWT5aBu1+oWsTTsTPzik2BsryFGZbKBC7 X-Received: by 2002:a63:10c:: with SMTP id 12-v6mr22421865pgb.62.1535015786588; Thu, 23 Aug 2018 02:16:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535015786; cv=none; d=google.com; s=arc-20160816; b=OTUdZZc3JIA/JSsby4f8eJc3dwpFesS+U0I/7dyPz1bRWCgIxHydwh5OyVw8HyzaOP jeTd1HAaHEHzJc81MouAvgRtZlz0YRpz4+PyXrliemJWqsVtdnnniuwWR3/++XbEO3yh GxP/bFhPXR1de6vkUAuCzywWC1jw1aEYeBBxdGdEkLTtrCO79h8qVkflBWd0uQYZKqu9 /Z9knJUFZqhVDxW07rtjso97+suuCsszcJ9UhIX/rmhTxCAhDbFakf9J97zMrBa39lLU 2AGQE1kvR1szQEdva+1ZoaOodd47VtoX1j/9Zu0lppBjzOxoNFKvwpkEgc5+osNcafvm VhKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:arc-authentication-results; bh=tLJzq+C6pa+C1Jpovr9YO+dgBwkMXPh4cixUYoASV/M=; b=MpwkAT1Ik1I/RQokqRXYhWj0XzIuNpunWQ7jevPn2QAkHinavkTgtFDzADPXqGOETz 5dRorR6p9K+3KPQbvFwEDfVqCwHuCN/ijwQsm2pn7VcnXFeryYrvOVqxfZdGDJmWsynX +TLG/TiU6DJaNfIWJhYe+/vCCfgT/UDWhZ4UJ1jUFEd4gEmgGM519xaVDQ+eDbTmYCKe 2+tLdo317PVCSN8cmtWnpu2TLhk/TEEKV+el1vQs360XL1t5JZTb2/VLCfa/VhXGdnph dhQA3b84xcDRa5OQ3DD8vS1w+GFYD6ivfehRJkxIicL6OqNeDf/c2wBwKeKejACvw1hk PtvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v1-v6si3885812plb.387.2018.08.23.02.16.10; Thu, 23 Aug 2018 02:16:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389011AbeHWMnN (ORCPT + 99 others); Thu, 23 Aug 2018 08:43:13 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:43187 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730691AbeHWMnM (ORCPT ); Thu, 23 Aug 2018 08:43:12 -0400 Received: by mail-oi0-f65.google.com with SMTP id b15-v6so8060896oib.10 for ; Thu, 23 Aug 2018 02:14:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tLJzq+C6pa+C1Jpovr9YO+dgBwkMXPh4cixUYoASV/M=; b=hgSn9s49qhTlKW3y2JGHCDDQtqhiejzIN1zlDOd7Zkvv2sw0mlXXEOsMYWWEfFCYCb 1ylIpwdgsQCgYp/VFt/Z2tqsl3Z5Yw4R/oDEckBHDxttAhrDC6CbtxF+DQNPVnmTPnNM h8VkwNatx7jqQlu8KEzqpDXNdEo5f8Z+RzLvaniQd9A0QcyXvfKoCqWvpmic+2b3LeNo T5rlJ2n3ZZUDL9BwHRk6kxrBSFd+oLgwLvWRYcSoS9IZ62gSYqOtAloXMS15GrDtZbin KoJxCA4cevXbwhqSeATBTOuuvPdg4CU3xORz04ikbBSgiFvmrVsNX+y60B4+Cg/K7Vwl 11VQ== X-Gm-Message-State: APzg51B47b921GewdK5pAqWSi8DWr5a6Z5FsuT6ZW4R1MmgKEE9o9rp2 k2jhyaq9bl33hfnAq9a6ateRjvt8KD/Ng8vCd+vT6g== X-Received: by 2002:aca:d098:: with SMTP id j24-v6mr5541907oiy.72.1535015666555; Thu, 23 Aug 2018 02:14:26 -0700 (PDT) MIME-Version: 1.0 References: <20180820123818.27547-1-omosnace@redhat.com> <20180821072114.GC23069@localhost> In-Reply-To: From: Ondrej Mosnacek Date: Thu, 23 Aug 2018 11:14:15 +0200 Message-ID: Subject: Re: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls To: Paul Moore Cc: mlichvar@redhat.com, Thomas Gleixner , Linux-Audit Mailing List , Richard Guy Briggs , Steve Grubb , John Stultz , Stephen Boyd , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 22, 2018 at 11:27 PM Paul Moore wrote: > On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar wrote: > > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote: > > > > @John or other timekeeping/NTP folks: We had a discussion on the audit > > > > ML on which of the internal timekeeping/NTP variables we should actually > > > > log changes for. We are only interested in variables that can (directly > > > > or indirectly) cause noticeable changes to the system clock, but since we > > > > have only limited understanding of the NTP code, we would like to ask > > > > you for advice on which variables are security relevant. > > > > I guess that mostly depends on whether you consider setting the clock > > to run faster or slower than real time to be an important event for > > the audit. > > > > > > - NTP value adjustments: > > > > - time_offset (probably important) > > > > This can adjust the clock by up to 0.5 seconds per call and also speed > > it up or slow down by up to about 0.05% (43 seconds per day). > > This seems worthwhile. > > > > > - time_freq (maybe not important?) > > > > This can speed up or slow down by up to about 0.05%. > > This too. > > > > > - time_status (likely important, can cause leap second injection) > > > > Yes, it can insert/delete leap seconds and it also enables/disables > > synchronization of the hardware real-time clock. > > This one as well. > > > > > - time_maxerror (maybe not important?) > > > > - time_esterror (maybe not important?) > > > > These two change the error estimates that are reported to applications > > using ntp_gettime()/adjtimex(). If an application was periodically > > checking that the clock is synchronized with some specified accuracy > > and setting the maxerror to a larger value would cause the application > > to abort, would it be an important event in the audit? > > Since these don't really affect the time, just the expected error, I'm > not sure this is important. > > > > > - time_constant (???) > > > > This controls the speed of the clock adjustments that are made when > > time_offset is set. Probably not important for the audit. > > Agreed. I think we can skip this. > > > > > - time_adjust (sounds important) > > > > This is similar to time_freq. It can temporarily speed up or slow down > > the clock by up to 0.05%. > > Like time_freq, we should probably log this too. > > > > > - tick_usec (???) > > > > This is a more extreme version of time_freq. It can speed up or slow > > down the clock by up to 10%. > > Let's audit this one too. I agree with Paul on all counts. I will go ahead and prepare a patchset that logs everything except maxerror, esterror, and constant. Thank you, Miroslav, for the explanations! -- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc.