Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2759782imm; Fri, 24 Aug 2018 05:01:58 -0700 (PDT) X-Google-Smtp-Source: ANB0VdY8qJVUfCScQr5/2Hf+By9T7IxUjlVOxJmYhJk9dZwDtqOYo5nFj7aYls6wkTmf5MTDKGu2 X-Received: by 2002:a62:4bc6:: with SMTP id d67-v6mr1672207pfj.175.1535112118243; Fri, 24 Aug 2018 05:01:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535112118; cv=none; d=google.com; s=arc-20160816; b=UPqYJEyAHYhWXM0sV44yAv9+mwHHVPyj5PWDu0ZRxgRC30TiKcq+YOhoYLF3/wTNyd vagG/KuJCEsaFAMUh+J4HELEuPmAsi+vN6wEs5RBlXmEzbc92wN/C87bnuTqn5o2tW1e 5uRVO5QeHf/Bl6tJ88ZkooM7/PH8WWQ7EfRbLHZh1GlkGAgJ5Zu+AS80DNmmwPh4ARka +SvCUkdaXl09Z19Q7/L4zSJfj5geHgAdkaIYbCKGtKFs2JqnAdi9LV/4WsEVq3VYHld2 91GB9EMKikjReOGYlg32uzw4a55wmfUsVtfG4TJd/sNYh1uT2eFT3WyqgR7KCAJVtC/j x6Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Rn00d9pSBTeNospuZdDtkSkJmPixbEgdcpQRmMD9WGI=; b=ipE0Rj9PQnfpC8uaUP7baRMWyTzdmbhPfAWab7erwW0U0Mgce1x5dytP3TOe6ILKhW 2weS5tlnzIlzgJukmmqQg/hr9Krml9p5IXvAg1iYptJItWkDLtWM0cbD8vqFDqre+T0m ev3TYuk0YvecnabIM5wxsD4iAVjEREGdjE2/Hugb+97+oX01YgFZZTe08Jqr+llpxuJQ txeQ3k7MmsCkb3zEPmW+gaInEVc+r1HUUGT3BuRM1H4hCaadKR6nplZrxaNBr2b5GJVV DcSM/EA7ytehuo2vk3ELSx+0sWv2QIDvJ/AMnZ1yowLPzT8/TaF5GZyVq1OnHUTuEmIg 9ziw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a4-v6si6105483pll.303.2018.08.24.05.01.42; Fri, 24 Aug 2018 05:01:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727562AbeHXPes (ORCPT + 99 others); Fri, 24 Aug 2018 11:34:48 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:43362 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726513AbeHXPes (ORCPT ); Fri, 24 Aug 2018 11:34:48 -0400 Received: by mail-wr1-f67.google.com with SMTP id k5-v6so7266538wre.10 for ; Fri, 24 Aug 2018 05:00:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Rn00d9pSBTeNospuZdDtkSkJmPixbEgdcpQRmMD9WGI=; b=CMiRL1Anuhr59hj5rYanUxP1OQEnXczb77rWBvfC/gGfioBanuGzLnZIRNFuoFEjPS iZsmMNrviuEzSmC+MQQmMlP1fxV55WJ6Gd/j97cQNf4L5xPbLGwOgzBOOkJSbLFweEhr K1xswArBZ3jHvOSXntje2jLUKxVYs7qS5JPvMVBc69vAu7+75OpNuGOkxJ6BUd8u1dgz 6Bg28oPJW9E6MeN/Uo2jLab6DMWVjPt+S8wf1orDWPt0JhS7euQGhM9AVb7hU4AEz4/9 70navZ7+Tik4imFCiwLdIRkGZrBLnzQZn66TsqS4eBQ0rz8JyVFiAD7HGWZcE5jZV8Ph cAEA== X-Gm-Message-State: APzg51DWx0LHD063Il4BrkhKnmCQpnWT5roBkqV2mCR7WS38D5C9pLnN rhx1oghVlx2EQkJDDJCmS5qRCA== X-Received: by 2002:a5d:6984:: with SMTP id g4-v6mr983875wru.232.1535112026055; Fri, 24 Aug 2018 05:00:26 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id r30-v6sm12318999wrc.90.2018.08.24.05.00.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 24 Aug 2018 05:00:25 -0700 (PDT) From: Ondrej Mosnacek To: linux-audit@redhat.com Cc: Paul Moore , Richard Guy Briggs , Steve Grubb , Miroslav Lichvar , John Stultz , Thomas Gleixner , Stephen Boyd , linux-kernel@vger.kernel.org, Ondrej Mosnacek Subject: [PATCH ghak10 v5 0/2] audit: Log modifying adjtimex(2) calls Date: Fri, 24 Aug 2018 13:59:59 +0200 Message-Id: <20180824120001.20771-1-omosnace@redhat.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patchset implements more detailed auditing of the adjtimex(2) syscall in order to make it possible to: a) distinguish modifying vs. read-only calls in the audit log b) reconstruct from the audit log what changes were made and how they have influenced the system clock The main motivation is to be able to detect an adversary that tries to confuse the audit timestamps by changing system time via adjtimex(2), but at the same time avoid flooding the audit log with records of benign read-only adjtimex(2) calls. The current version of the patchset logs the following changes: - direct injection of timekeeping offset - adjustment of timekeeping's TAI offset - NTP value adjustments: - time_offset - time_freq - time_status - time_adjust - tick_usec Changes to the following NTP values are not logged, as they are not important for security: - time_maxerror - time_esterror - time_constant Audit kernel GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10 Changes in v5: - Dropped logging of some less important changes and update commit messages - No longer mark the patchset as RFC v4: https://www.redhat.com/archives/linux-audit/2018-August/msg00023.html Changes in v4: - Squashed first two patches into one - Renamed ADJNTPVAL's "type" field to "op" to align with audit record conventions - Minor commit message editing - Cc timekeeping/NTP people for feedback v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html Changes in v3: - Switched to separate records for each variable - Both old and new value is now reported for each change - Injecting offset is reported via a separate record (since this offset consists of two values and is added directly to the clock, i.e. it doesn't make sense to log old and new value) - Added example records produced by chronyd -q (see the commit message of the last patch) v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html Changes in v2: - The audit_adjtime() function has been modified to only log those fields that contain values that are actually used, resulting in more compact records. - The audit_adjtime() call has been moved to do_adjtimex() in timekeeping.c - Added an additional patch (for review) that simplifies the detection if the syscall is read-only. v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html Ondrej Mosnacek (2): audit: Add functions to log time adjustments timekeeping/ntp: Audit clock/NTP params adjustments include/linux/audit.h | 21 +++++++++++++++++++++ include/uapi/linux/audit.h | 2 ++ kernel/auditsc.c | 15 +++++++++++++++ kernel/time/ntp.c | 38 ++++++++++++++++++++++++++++++-------- kernel/time/timekeeping.c | 3 +++ 5 files changed, 71 insertions(+), 8 deletions(-) -- 2.17.1