Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2759782imm;
        Fri, 24 Aug 2018 05:01:58 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdY8qJVUfCScQr5/2Hf+By9T7IxUjlVOxJmYhJk9dZwDtqOYo5nFj7aYls6wkTmf5MTDKGu2
X-Received: by 2002:a62:4bc6:: with SMTP id d67-v6mr1672207pfj.175.1535112118243;
        Fri, 24 Aug 2018 05:01:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535112118; cv=none;
        d=google.com; s=arc-20160816;
        b=UPqYJEyAHYhWXM0sV44yAv9+mwHHVPyj5PWDu0ZRxgRC30TiKcq+YOhoYLF3/wTNyd
         vagG/KuJCEsaFAMUh+J4HELEuPmAsi+vN6wEs5RBlXmEzbc92wN/C87bnuTqn5o2tW1e
         5uRVO5QeHf/Bl6tJ88ZkooM7/PH8WWQ7EfRbLHZh1GlkGAgJ5Zu+AS80DNmmwPh4ARka
         +SvCUkdaXl09Z19Q7/L4zSJfj5geHgAdkaIYbCKGtKFs2JqnAdi9LV/4WsEVq3VYHld2
         91GB9EMKikjReOGYlg32uzw4a55wmfUsVtfG4TJd/sNYh1uT2eFT3WyqgR7KCAJVtC/j
         x6Rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=Rn00d9pSBTeNospuZdDtkSkJmPixbEgdcpQRmMD9WGI=;
        b=ipE0Rj9PQnfpC8uaUP7baRMWyTzdmbhPfAWab7erwW0U0Mgce1x5dytP3TOe6ILKhW
         2weS5tlnzIlzgJukmmqQg/hr9Krml9p5IXvAg1iYptJItWkDLtWM0cbD8vqFDqre+T0m
         ev3TYuk0YvecnabIM5wxsD4iAVjEREGdjE2/Hugb+97+oX01YgFZZTe08Jqr+llpxuJQ
         txeQ3k7MmsCkb3zEPmW+gaInEVc+r1HUUGT3BuRM1H4hCaadKR6nplZrxaNBr2b5GJVV
         DcSM/EA7ytehuo2vk3ELSx+0sWv2QIDvJ/AMnZ1yowLPzT8/TaF5GZyVq1OnHUTuEmIg
         9ziw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a4-v6si6105483pll.303.2018.08.24.05.01.42;
        Fri, 24 Aug 2018 05:01:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727562AbeHXPes (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Fri, 24 Aug 2018 11:34:48 -0400
Received: from mail-wr1-f67.google.com ([209.85.221.67]:43362 "EHLO
        mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726513AbeHXPes (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Aug 2018 11:34:48 -0400
Received: by mail-wr1-f67.google.com with SMTP id k5-v6so7266538wre.10
        for <linux-kernel@vger.kernel.org>; Fri, 24 Aug 2018 05:00:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=Rn00d9pSBTeNospuZdDtkSkJmPixbEgdcpQRmMD9WGI=;
        b=CMiRL1Anuhr59hj5rYanUxP1OQEnXczb77rWBvfC/gGfioBanuGzLnZIRNFuoFEjPS
         iZsmMNrviuEzSmC+MQQmMlP1fxV55WJ6Gd/j97cQNf4L5xPbLGwOgzBOOkJSbLFweEhr
         K1xswArBZ3jHvOSXntje2jLUKxVYs7qS5JPvMVBc69vAu7+75OpNuGOkxJ6BUd8u1dgz
         6Bg28oPJW9E6MeN/Uo2jLab6DMWVjPt+S8wf1orDWPt0JhS7euQGhM9AVb7hU4AEz4/9
         70navZ7+Tik4imFCiwLdIRkGZrBLnzQZn66TsqS4eBQ0rz8JyVFiAD7HGWZcE5jZV8Ph
         cAEA==
X-Gm-Message-State: APzg51DWx0LHD063Il4BrkhKnmCQpnWT5roBkqV2mCR7WS38D5C9pLnN
        rhx1oghVlx2EQkJDDJCmS5qRCA==
X-Received: by 2002:a5d:6984:: with SMTP id g4-v6mr983875wru.232.1535112026055;
        Fri, 24 Aug 2018 05:00:26 -0700 (PDT)
Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10])
        by smtp.gmail.com with ESMTPSA id r30-v6sm12318999wrc.90.2018.08.24.05.00.24
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Fri, 24 Aug 2018 05:00:25 -0700 (PDT)
From:   Ondrej Mosnacek <omosnace@redhat.com>
To:     linux-audit@redhat.com
Cc:     Paul Moore <paul@paul-moore.com>,
        Richard Guy Briggs <rgb@redhat.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Miroslav Lichvar <mlichvar@redhat.com>,
        John Stultz <john.stultz@linaro.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Stephen Boyd <sboyd@kernel.org>, linux-kernel@vger.kernel.org,
        Ondrej Mosnacek <omosnace@redhat.com>
Subject: [PATCH ghak10 v5 0/2] audit: Log modifying adjtimex(2) calls
Date:   Fri, 24 Aug 2018 13:59:59 +0200
Message-Id: <20180824120001.20771-1-omosnace@redhat.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patchset implements more detailed auditing of the adjtimex(2)
syscall in order to make it possible to:
  a) distinguish modifying vs. read-only calls in the audit log
  b) reconstruct from the audit log what changes were made and how they
     have influenced the system clock

The main motivation is to be able to detect an adversary that tries to
confuse the audit timestamps by changing system time via adjtimex(2),
but at the same time avoid flooding the audit log with records of benign
read-only adjtimex(2) calls.

The current version of the patchset logs the following changes:
  - direct injection of timekeeping offset
  - adjustment of timekeeping's TAI offset
  - NTP value adjustments:
    - time_offset
    - time_freq
    - time_status
    - time_adjust
    - tick_usec

Changes to the following NTP values are not logged, as they are not
important for security:
  - time_maxerror
  - time_esterror
  - time_constant

Audit kernel GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10

Changes in v5:
  - Dropped logging of some less important changes and update commit messages
  - No longer mark the patchset as RFC

v4: https://www.redhat.com/archives/linux-audit/2018-August/msg00023.html
Changes in v4:
  - Squashed first two patches into one
  - Renamed ADJNTPVAL's "type" field to "op" to align with audit record
    conventions
  - Minor commit message editing
  - Cc timekeeping/NTP people for feedback

v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
Changes in v3:
  - Switched to separate records for each variable
  - Both old and new value is now reported for each change
  - Injecting offset is reported via a separate record (since this
    offset consists of two values and is added directly to the clock,
    i.e. it doesn't make sense to log old and new value)
  - Added example records produced by chronyd -q (see the commit message
    of the last patch)

v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
Changes in v2:
  - The audit_adjtime() function has been modified to only log those
    fields that contain values that are actually used, resulting in more
    compact records.
  - The audit_adjtime() call has been moved to do_adjtimex() in
    timekeeping.c
  - Added an additional patch (for review) that simplifies the detection
    if the syscall is read-only.

v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html

Ondrej Mosnacek (2):
  audit: Add functions to log time adjustments
  timekeeping/ntp: Audit clock/NTP params adjustments

 include/linux/audit.h      | 21 +++++++++++++++++++++
 include/uapi/linux/audit.h |  2 ++
 kernel/auditsc.c           | 15 +++++++++++++++
 kernel/time/ntp.c          | 38 ++++++++++++++++++++++++++++++--------
 kernel/time/timekeeping.c  |  3 +++
 5 files changed, 71 insertions(+), 8 deletions(-)

-- 
2.17.1