Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp747362imm; Thu, 13 Sep 2018 07:10:55 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbGMmVCRpksTI3ewz6h9ya01Pp433GaSLy9FBkLJRMFsSmJL0mMLUWHKcuBozHvEmAEQ5bS X-Received: by 2002:a63:ca09:: with SMTP id n9-v6mr7353427pgi.287.1536847855004; Thu, 13 Sep 2018 07:10:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536847854; cv=none; d=google.com; s=arc-20160816; b=CIEIkNJRX8ybZ1Oonmf8nphVJzJ+AsFqBuoqDa3euh682DBLv6yE7C/h1s2JMtDxtn pKQERLiyTzsQgWXlMo241a+UWuhzE9yVU1hyfmOE/Anm5xicnIyMUb8q/f81xSrgEwUY atr8eh+n+pF+BLu1NrZFHkHsjK/WWu2TQ4StWHIst0ui3wo63fG5I/q0kHtkOlJVCHVq PSGgDequ/j695Wc/aY74+TMKiHwfidpg/wHqKqRc0WiKdWvami/2Ejel+qbFXg5nfEGU H3jlzeICJJ7AuFyCxPq3h9YKeuXW0zM91NoCjirzKYAcv47QagsP7/H2EPuEfzDTx5Ej Jchw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=qyzbjWylZk4vNomlZFP0KUtwEYhxD/Np8KXad4/GNkY=; b=F+ssk/9fYWzJlFvA8fy50PF1J3dmZGvgPVtJsLljte802nMIsKaD28k+ZsK5+U9D4V LJytpH84J/hxfll02shxcToq7zphvMVgRJUnQeRxWM4UzoGwGoWnUzu6D4RsflYt07jt Yeobft96AMN0lA4u4AR3gDdGIAujErcQrXMJwDgjvHMCnVImrTubb2LEuNywGGz2vk6k CNtCjOwsOm3jYhDqU1nNzg8hw+Iepil3B++zHxPT3+l0Ez39OGMVYmESsNfb+yJRZuXm 2HjOscT1aB4y7E3kJk67XHn+1Il2x0ktc0+7pY6ITrKrC8EOiwJ4v+Z7k7tUhQlLtI7n ZRaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 185-v6si4177346pgj.511.2018.09.13.07.10.35; Thu, 13 Sep 2018 07:10:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731579AbeIMTIV (ORCPT + 99 others); Thu, 13 Sep 2018 15:08:21 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:39559 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731286AbeIMTIV (ORCPT ); Thu, 13 Sep 2018 15:08:21 -0400 Received: by mail-ot1-f68.google.com with SMTP id c12-v6so1304576otl.6 for ; Thu, 13 Sep 2018 06:58:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qyzbjWylZk4vNomlZFP0KUtwEYhxD/Np8KXad4/GNkY=; b=i89PGCGlbBPwpdfn5kaz2advnjgXS8DuEugCHyhmd+DcBgEbtyb2oL2q420f5eNiAi oyhyKTPysBoGbIAtMmWIXlf1+/humrDT5FwIMPjKr34oFQmnOgkTqqA43P0m0FZwZGFM 1cIxHEInPcLyv4co3Ku1RoaEyAN7/acE9u6XwcenBk0Ji9dAQ4KSSqPvlcbvxFgtY8rw h/4KmNU9OpVW3WGhByqP9EOMNfM4vZ+FVI3iGw6tYDIYokfAvW9NZcWjwBwNfkKGvA4J tOwCUtd9Ig8ruxgH1t3Fm5dfLTZP0ZmTkQ5m36Y47kHa2cUxQFOBWDwbxsenmi2FFX4z kS+w== X-Gm-Message-State: APzg51BJn7QIaUhkYcqAvYnEKHYtT3SxqOKr8TYYI99GscLRc8GwFa4A zFYrCEUA24TQKIhXch7/orOt2XXT74pNVDc+FQHPhQ== X-Received: by 2002:a9d:1cac:: with SMTP id l44-v6mr1229816ota.359.1536847123882; Thu, 13 Sep 2018 06:58:43 -0700 (PDT) MIME-Version: 1.0 References: <20180820123818.27547-1-omosnace@redhat.com> <20180821072114.GC23069@localhost> <2148764.ODNUjEgRWb@x2> In-Reply-To: <2148764.ODNUjEgRWb@x2> From: Ondrej Mosnacek Date: Thu, 13 Sep 2018 15:58:32 +0200 Message-ID: Subject: Re: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls To: Steve Grubb Cc: Paul Moore , Miroslav Lichvar , Thomas Gleixner , Linux-Audit Mailing List , Richard Guy Briggs , John Stultz , Stephen Boyd , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 24, 2018 at 4:56 PM Steve Grubb wrote: > On Wednesday, August 22, 2018 5:27:17 PM EDT Paul Moore wrote: > > On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar > wrote: > > > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote: > > > > > @John or other timekeeping/NTP folks: We had a discussion on the > > > > > audit > > > > > ML on which of the internal timekeeping/NTP variables we should > > > > > actually > > > > > log changes for. We are only interested in variables that can > > > > > (directly > > > > > or indirectly) cause noticeable changes to the system clock, but > > > > > since we > > > > > have only limited understanding of the NTP code, we would like to ask > > > > > you for advice on which variables are security relevant. > > > > > > I guess that mostly depends on whether you consider setting the clock > > > to run faster or slower than real time to be an important event for > > > the audit. > > > > > > > > - NTP value adjustments: > > > > > - time_offset (probably important) > > > > > > This can adjust the clock by up to 0.5 seconds per call and also speed > > > it up or slow down by up to about 0.05% (43 seconds per day). > > > > This seems worthwhile. > > > > > > > - time_freq (maybe not important?) > > > > > > This can speed up or slow down by up to about 0.05%. > > > > This too. > > > > > > > - time_status (likely important, can cause leap second injection) > > > > > > Yes, it can insert/delete leap seconds and it also enables/disables > > > synchronization of the hardware real-time clock. > > > > This one as well. > > > > > > > - time_maxerror (maybe not important?) > > > > > - time_esterror (maybe not important?) > > > > > > These two change the error estimates that are reported to applications > > > using ntp_gettime()/adjtimex(). If an application was periodically > > > checking that the clock is synchronized with some specified accuracy > > > and setting the maxerror to a larger value would cause the application > > > to abort, would it be an important event in the audit? > > > > Since these don't really affect the time, just the expected error, I'm > > not sure this is important. > > I don't think so. Sorry, just to make sure I understand it right - do you (also) not think it is important or do you not think it is not important? :) -- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc.