Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp252285imm; Thu, 13 Sep 2018 20:11:24 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdb6BITSmmRTjSP+bSXytmnW4h139y+Jvno6Q/GKszpfv3U6jQXpJcYneRXIe9cSKpV2N+9l X-Received: by 2002:a62:4808:: with SMTP id v8-v6mr10227371pfa.89.1536894684729; Thu, 13 Sep 2018 20:11:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536894684; cv=none; d=google.com; s=arc-20160816; b=PKA7n1Gu583WQcAH/PK348/jP0SRbhoHEKUg66KnzEUBZm+e8qqKr2pE+Og7h2Y5mP 9dPwZ8fchV5Cu0r3YYABq9HAXT4f+or0RIqUMF3pjS5Bo8hxnAGvmbh9RdFAmqBSzX40 zo4LAtWmgx58q27gnnU9G35g4EFjef1DCBIA0GEtHQnsnMqfl/qG9LnGuFWK5FpE0tfC 4Eu1Bok4xNgWBE38EX6cxogtrMf6CcrsTU6X5vl8B3balkWBhPFi9Wu+q8LDsa2Ly03e Ds2I5B8C1vHnDjFmk8mIrUk50WE2BWJf0RkvNQE4QBHIg/hNLGW0QUDUBA+f8ZohE8Gp autg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zV0E11/9LhPWNRkhTaAWrfVN37Gj+T7MZnhY2lzUbYQ=; b=VFqasU0PpgVhaNoAoQJRthvxiXuYOXt9jCDLgZmVLEu+JEBMznFDo7bKsBMqCehe8P ZYIGAY7cXCTQl5tC/xNgALljXRaKiVTDET5yUM1SU+IWfvO5aEX5BqevvUsULxmRaSH1 PgkQfEPll23CheWAP+T6Gdee/CPx+17Eh8YFNrBjqe1JJim2S7HZqOlccArvrHtruxbB tsb8VJERP982I8nb2qTySNsnlht41lAnNUHMCic2sjkhgXXcYBZP1d4zn2tydYllG7oQ vm3ScYJf6rami507Us36vr4q7Wd606zYxkmOEDdnhDGUBK5CZwjMZtKvAbXj8lR/N2S0 TLmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iTfu1seN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m192-v6si5795814pga.410.2018.09.13.20.11.08; Thu, 13 Sep 2018 20:11:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iTfu1seN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728225AbeINIV7 (ORCPT + 99 others); Fri, 14 Sep 2018 04:21:59 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:43621 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726958AbeINIV6 (ORCPT ); Fri, 14 Sep 2018 04:21:58 -0400 Received: by mail-lf1-f65.google.com with SMTP id h64-v6so6571417lfi.10 for ; Thu, 13 Sep 2018 20:09:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zV0E11/9LhPWNRkhTaAWrfVN37Gj+T7MZnhY2lzUbYQ=; b=iTfu1seNzE0ZdQvosj5RjqBjzAGq3yFPWMLA6V8/TJMbd4puj+lqhAqOYDxOjy4soY AcslJzJEySX/byw7pIOWR3tMV5OzPDuqH2aKhIfjxSHJyCOcmAih4L99zmQ7gPTOYew3 of1+VCv2UrZPyA4KbOnZv7+hU+ko3wbG5qh7vzAZVM46xgrZuzCmvV2LuoNYQ+7P+ppn v08GITwxqx78yrUcKEy9gqPHQW8Hj12pC+ToMVvqdsXbfPPIR5jG5b8JZuHfobpVMbJg hprXy2SRKB8ktaSSrlQC6rCw0+aeosHwEJ6YU8TvZ0MaeBx2LnNc3LctwNPNWwNYMdF4 w/WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zV0E11/9LhPWNRkhTaAWrfVN37Gj+T7MZnhY2lzUbYQ=; b=igc2+YI4UROW/nuoQG49ogTyToIQZaCDfc1kN4gCkBZ92/9KM2F5SkePxFMQG0ysQp DFg66Jpd5exRGaA7D5Zw5bMz5aTAjAwzkGM7lwksziuS8lQlvHab0dbe0zM2hukhwuiZ U5e7HGmBVwGDqvyPp4ZEu/RjKk/v0SjcHzksvZJHcaK7F9wgqTI19QuKjdj9Pe6fU1yO e8Li0bqhqCwAoOi0RhPiHS1sxFeXeU92tKPyF9Rl0/VsvOFNWOwCslFMtfFUUnCV7KPp cryyMB/lKhRSSTGhYFe9zZ70cOHHOJ9qIW6aN+euk5Q39Af6DvYzpm5MeAVG0d/uQqD9 2jbg== X-Gm-Message-State: APzg51BnBKXVeZ1lOHZTfiCDnYHfqEml/n7Js9t+HBq/7dUctpjpr7C1 1U45reB5EG6su9SezF2WEmL4/DC4lWrDYql9M8UA X-Received: by 2002:ac2:410d:: with SMTP id b13-v6mr689178lfi.19.1536894574455; Thu, 13 Sep 2018 20:09:34 -0700 (PDT) MIME-Version: 1.0 References: <20180824120001.20771-1-omosnace@redhat.com> <20180827075020.GL27091@localhost> <4819575.TSNxuEWROA@x2> In-Reply-To: From: Paul Moore Date: Thu, 13 Sep 2018 23:09:23 -0400 Message-ID: Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments To: omosnace@redhat.com Cc: sgrubb@redhat.com, mlichvar@redhat.com, linux-audit@redhat.com, rgb@redhat.com, john.stultz@linaro.org, tglx@linutronix.de, sboyd@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 13, 2018 at 9:59 AM Ondrej Mosnacek wrote: > On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb wrote: > > On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote: > > > On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar > > wrote: > > > > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote: > > > > > This patch adds two auxiliary record types that will be used to > > > > > annotate > > > > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > > > > been changed. > > > > > > > > It seems the "adjust" function intentionally logs also calls/modes > > > > that don't actually change anything. Can you please explain it a bit > > > > in the message? > > > > > > > > NTP/PTP daemons typically don't read the adjtimex values in a normal > > > > operation and overwrite them on each update, even if they don't > > > > change. If the audit function checked that oldval != newval, the > > > > number of messages would be reduced and it might be easier to follow. > > > > > > We actually want to log any attempt to change a value, as even an > > > intention to set/change something could be a hint that the process is > > > trying to do something bad (see discussion at [1]). > > > > One of the problems is that these applications can flood the logs very > > quickly. An attempt to change is not needed unless it fails for permissions > > reasons. So, limiting to actual changes is probably a good thing. > > Well, Richard seemed to "violently" agree with the opposite, so now I > don't know which way to go... Paul, you are the official tie-breaker > here, which do you prefer? The general idea is that we only care about *changes* to the system state, so if a process is setting a variable to with a value that matches it's current value I see no reason why we need to generate a change record. Another thing to keep in mind, we can always change the behavior to be more verbose (*always* generate a record, regardless of value) without likely causing a regression, but limiting records is more difficult and more likely to cause regressions. -- paul moore www.paul-moore.com