Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp747362imm;
        Thu, 13 Sep 2018 07:10:55 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbGMmVCRpksTI3ewz6h9ya01Pp433GaSLy9FBkLJRMFsSmJL0mMLUWHKcuBozHvEmAEQ5bS
X-Received: by 2002:a63:ca09:: with SMTP id n9-v6mr7353427pgi.287.1536847855004;
        Thu, 13 Sep 2018 07:10:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536847854; cv=none;
        d=google.com; s=arc-20160816;
        b=CIEIkNJRX8ybZ1Oonmf8nphVJzJ+AsFqBuoqDa3euh682DBLv6yE7C/h1s2JMtDxtn
         pKQERLiyTzsQgWXlMo241a+UWuhzE9yVU1hyfmOE/Anm5xicnIyMUb8q/f81xSrgEwUY
         atr8eh+n+pF+BLu1NrZFHkHsjK/WWu2TQ4StWHIst0ui3wo63fG5I/q0kHtkOlJVCHVq
         PSGgDequ/j695Wc/aY74+TMKiHwfidpg/wHqKqRc0WiKdWvami/2Ejel+qbFXg5nfEGU
         H3jlzeICJJ7AuFyCxPq3h9YKeuXW0zM91NoCjirzKYAcv47QagsP7/H2EPuEfzDTx5Ej
         Jchw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version;
        bh=qyzbjWylZk4vNomlZFP0KUtwEYhxD/Np8KXad4/GNkY=;
        b=F+ssk/9fYWzJlFvA8fy50PF1J3dmZGvgPVtJsLljte802nMIsKaD28k+ZsK5+U9D4V
         LJytpH84J/hxfll02shxcToq7zphvMVgRJUnQeRxWM4UzoGwGoWnUzu6D4RsflYt07jt
         Yeobft96AMN0lA4u4AR3gDdGIAujErcQrXMJwDgjvHMCnVImrTubb2LEuNywGGz2vk6k
         CNtCjOwsOm3jYhDqU1nNzg8hw+Iepil3B++zHxPT3+l0Ez39OGMVYmESsNfb+yJRZuXm
         2HjOscT1aB4y7E3kJk67XHn+1Il2x0ktc0+7pY6ITrKrC8EOiwJ4v+Z7k7tUhQlLtI7n
         ZRaw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 185-v6si4177346pgj.511.2018.09.13.07.10.35;
        Thu, 13 Sep 2018 07:10:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731579AbeIMTIV (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Thu, 13 Sep 2018 15:08:21 -0400
Received: from mail-ot1-f68.google.com ([209.85.210.68]:39559 "EHLO
        mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731286AbeIMTIV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Sep 2018 15:08:21 -0400
Received: by mail-ot1-f68.google.com with SMTP id c12-v6so1304576otl.6
        for <linux-kernel@vger.kernel.org>; Thu, 13 Sep 2018 06:58:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qyzbjWylZk4vNomlZFP0KUtwEYhxD/Np8KXad4/GNkY=;
        b=i89PGCGlbBPwpdfn5kaz2advnjgXS8DuEugCHyhmd+DcBgEbtyb2oL2q420f5eNiAi
         oyhyKTPysBoGbIAtMmWIXlf1+/humrDT5FwIMPjKr34oFQmnOgkTqqA43P0m0FZwZGFM
         1cIxHEInPcLyv4co3Ku1RoaEyAN7/acE9u6XwcenBk0Ji9dAQ4KSSqPvlcbvxFgtY8rw
         h/4KmNU9OpVW3WGhByqP9EOMNfM4vZ+FVI3iGw6tYDIYokfAvW9NZcWjwBwNfkKGvA4J
         tOwCUtd9Ig8ruxgH1t3Fm5dfLTZP0ZmTkQ5m36Y47kHa2cUxQFOBWDwbxsenmi2FFX4z
         kS+w==
X-Gm-Message-State: APzg51BJn7QIaUhkYcqAvYnEKHYtT3SxqOKr8TYYI99GscLRc8GwFa4A
        zFYrCEUA24TQKIhXch7/orOt2XXT74pNVDc+FQHPhQ==
X-Received: by 2002:a9d:1cac:: with SMTP id l44-v6mr1229816ota.359.1536847123882;
 Thu, 13 Sep 2018 06:58:43 -0700 (PDT)
MIME-Version: 1.0
References: <20180820123818.27547-1-omosnace@redhat.com> <20180821072114.GC23069@localhost>
 <CAHC9VhQCB5kB9Vy-TWwu-Z62p2XcPpKwsFLB647=usVM2EE=LA@mail.gmail.com> <2148764.ODNUjEgRWb@x2>
In-Reply-To: <2148764.ODNUjEgRWb@x2>
From:   Ondrej Mosnacek <omosnace@redhat.com>
Date:   Thu, 13 Sep 2018 15:58:32 +0200
Message-ID: <CAFqZXNtsjAt3ks7L=e24UVhx23bihz1MLN7gKihs=LFJDShutg@mail.gmail.com>
Subject: Re: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls
To:     Steve Grubb <sgrubb@redhat.com>
Cc:     Paul Moore <paul@paul-moore.com>,
        Miroslav Lichvar <mlichvar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>,
        John Stultz <john.stultz@linaro.org>,
        Stephen Boyd <sboyd@kernel.org>,
        Linux kernel mailing list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Aug 24, 2018 at 4:56 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, August 22, 2018 5:27:17 PM EDT Paul Moore wrote:
> > On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar <mlichvar@redhat.com>
> wrote:
> > > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote:
> > > > > @John or other timekeeping/NTP folks: We had a discussion on the
> > > > > audit
> > > > > ML on which of the internal timekeeping/NTP variables we should
> > > > > actually
> > > > > log changes for. We are only interested in variables that can
> > > > > (directly
> > > > > or indirectly) cause noticeable changes to the system clock, but
> > > > > since we
> > > > > have only limited understanding of the NTP code, we would like to ask
> > > > > you for advice on which variables are security relevant.
> > >
> > > I guess that mostly depends on whether you consider setting the clock
> > > to run faster or slower than real time to be an important event for
> > > the audit.
> > >
> > > > > - NTP value adjustments:
> > > > > - time_offset (probably important)
> > >
> > > This can adjust the clock by up to 0.5 seconds per call and also speed
> > > it up or slow down by up to about 0.05% (43 seconds per day).
> >
> > This seems worthwhile.
> >
> > > > > - time_freq (maybe not important?)
> > >
> > > This can speed up or slow down by up to about 0.05%.
> >
> > This too.
> >
> > > > > - time_status (likely important, can cause leap second injection)
> > >
> > > Yes, it can insert/delete leap seconds and it also enables/disables
> > > synchronization of the hardware real-time clock.
> >
> > This one as well.
> >
> > > > > - time_maxerror (maybe not important?)
> > > > > - time_esterror (maybe not important?)
> > >
> > > These two change the error estimates that are reported to applications
> > > using ntp_gettime()/adjtimex(). If an application was periodically
> > > checking that the clock is synchronized with some specified accuracy
> > > and setting the maxerror to a larger value would cause the application
> > > to abort, would it be an important event in the audit?
> >
> > Since these don't really affect the time, just the expected error, I'm
> > not sure this is important.
>
> I don't think so.

Sorry, just to make sure I understand it right - do you (also) not
think it is important or do you not think it is not important? :)

--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.