Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp252285imm;
        Thu, 13 Sep 2018 20:11:24 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vdb6BITSmmRTjSP+bSXytmnW4h139y+Jvno6Q/GKszpfv3U6jQXpJcYneRXIe9cSKpV2N+9l
X-Received: by 2002:a62:4808:: with SMTP id v8-v6mr10227371pfa.89.1536894684729;
        Thu, 13 Sep 2018 20:11:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536894684; cv=none;
        d=google.com; s=arc-20160816;
        b=PKA7n1Gu583WQcAH/PK348/jP0SRbhoHEKUg66KnzEUBZm+e8qqKr2pE+Og7h2Y5mP
         9dPwZ8fchV5Cu0r3YYABq9HAXT4f+or0RIqUMF3pjS5Bo8hxnAGvmbh9RdFAmqBSzX40
         zo4LAtWmgx58q27gnnU9G35g4EFjef1DCBIA0GEtHQnsnMqfl/qG9LnGuFWK5FpE0tfC
         4Eu1Bok4xNgWBE38EX6cxogtrMf6CcrsTU6X5vl8B3balkWBhPFi9Wu+q8LDsa2Ly03e
         Ds2I5B8C1vHnDjFmk8mIrUk50WE2BWJf0RkvNQE4QBHIg/hNLGW0QUDUBA+f8ZohE8Gp
         autg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=zV0E11/9LhPWNRkhTaAWrfVN37Gj+T7MZnhY2lzUbYQ=;
        b=VFqasU0PpgVhaNoAoQJRthvxiXuYOXt9jCDLgZmVLEu+JEBMznFDo7bKsBMqCehe8P
         ZYIGAY7cXCTQl5tC/xNgALljXRaKiVTDET5yUM1SU+IWfvO5aEX5BqevvUsULxmRaSH1
         PgkQfEPll23CheWAP+T6Gdee/CPx+17Eh8YFNrBjqe1JJim2S7HZqOlccArvrHtruxbB
         tsb8VJERP982I8nb2qTySNsnlht41lAnNUHMCic2sjkhgXXcYBZP1d4zn2tydYllG7oQ
         vm3ScYJf6rami507Us36vr4q7Wd606zYxkmOEDdnhDGUBK5CZwjMZtKvAbXj8lR/N2S0
         TLmw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iTfu1seN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m192-v6si5795814pga.410.2018.09.13.20.11.08;
        Thu, 13 Sep 2018 20:11:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iTfu1seN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728225AbeINIV7 (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Fri, 14 Sep 2018 04:21:59 -0400
Received: from mail-lf1-f65.google.com ([209.85.167.65]:43621 "EHLO
        mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726958AbeINIV6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Sep 2018 04:21:58 -0400
Received: by mail-lf1-f65.google.com with SMTP id h64-v6so6571417lfi.10
        for <linux-kernel@vger.kernel.org>; Thu, 13 Sep 2018 20:09:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=zV0E11/9LhPWNRkhTaAWrfVN37Gj+T7MZnhY2lzUbYQ=;
        b=iTfu1seNzE0ZdQvosj5RjqBjzAGq3yFPWMLA6V8/TJMbd4puj+lqhAqOYDxOjy4soY
         AcslJzJEySX/byw7pIOWR3tMV5OzPDuqH2aKhIfjxSHJyCOcmAih4L99zmQ7gPTOYew3
         of1+VCv2UrZPyA4KbOnZv7+hU+ko3wbG5qh7vzAZVM46xgrZuzCmvV2LuoNYQ+7P+ppn
         v08GITwxqx78yrUcKEy9gqPHQW8Hj12pC+ToMVvqdsXbfPPIR5jG5b8JZuHfobpVMbJg
         hprXy2SRKB8ktaSSrlQC6rCw0+aeosHwEJ6YU8TvZ0MaeBx2LnNc3LctwNPNWwNYMdF4
         w/WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=zV0E11/9LhPWNRkhTaAWrfVN37Gj+T7MZnhY2lzUbYQ=;
        b=igc2+YI4UROW/nuoQG49ogTyToIQZaCDfc1kN4gCkBZ92/9KM2F5SkePxFMQG0ysQp
         DFg66Jpd5exRGaA7D5Zw5bMz5aTAjAwzkGM7lwksziuS8lQlvHab0dbe0zM2hukhwuiZ
         U5e7HGmBVwGDqvyPp4ZEu/RjKk/v0SjcHzksvZJHcaK7F9wgqTI19QuKjdj9Pe6fU1yO
         e8Li0bqhqCwAoOi0RhPiHS1sxFeXeU92tKPyF9Rl0/VsvOFNWOwCslFMtfFUUnCV7KPp
         cryyMB/lKhRSSTGhYFe9zZ70cOHHOJ9qIW6aN+euk5Q39Af6DvYzpm5MeAVG0d/uQqD9
         2jbg==
X-Gm-Message-State: APzg51BnBKXVeZ1lOHZTfiCDnYHfqEml/n7Js9t+HBq/7dUctpjpr7C1
        1U45reB5EG6su9SezF2WEmL4/DC4lWrDYql9M8UA
X-Received: by 2002:ac2:410d:: with SMTP id b13-v6mr689178lfi.19.1536894574455;
 Thu, 13 Sep 2018 20:09:34 -0700 (PDT)
MIME-Version: 1.0
References: <20180824120001.20771-1-omosnace@redhat.com> <20180827075020.GL27091@localhost>
 <CAFqZXNvADB-E_fjEaQpUymSVvfP-vXQXtk3K+nJ9DqrScHL8bQ@mail.gmail.com>
 <4819575.TSNxuEWROA@x2> <CAFqZXNtzSU0KjFwYzqJCQybEvJz1GhQZHxRfJ2hj=6o_RGGLLA@mail.gmail.com>
In-Reply-To: <CAFqZXNtzSU0KjFwYzqJCQybEvJz1GhQZHxRfJ2hj=6o_RGGLLA@mail.gmail.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 13 Sep 2018 23:09:23 -0400
Message-ID: <CAHC9VhQwPsK1PJ=wiiG-jt-e5SXoBr0FeaL9dP=7kn2SUftDXQ@mail.gmail.com>
Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments
To:     omosnace@redhat.com
Cc:     sgrubb@redhat.com, mlichvar@redhat.com, linux-audit@redhat.com,
        rgb@redhat.com, john.stultz@linaro.org, tglx@linutronix.de,
        sboyd@kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Sep 13, 2018 at 9:59 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote:
> > > On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar <mlichvar@redhat.com>
> > wrote:
> > > > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> > > > > This patch adds two auxiliary record types that will be used to
> > > > > annotate
> > > > > the adjtimex SYSCALL records with the NTP/timekeeping values that have
> > > > > been changed.
> > > >
> > > > It seems the "adjust" function intentionally logs also calls/modes
> > > > that don't actually change anything. Can you please explain it a bit
> > > > in the message?
> > > >
> > > > NTP/PTP daemons typically don't read the adjtimex values in a normal
> > > > operation and overwrite them on each update, even if they don't
> > > > change. If the audit function checked that oldval != newval, the
> > > > number of messages would be reduced and it might be easier to follow.
> > >
> > > We actually want to log any attempt to change a value, as even an
> > > intention to set/change something could be a hint that the process is
> > > trying to do something bad (see discussion at [1]).
> >
> > One of the problems is that these applications can flood the logs very
> > quickly. An attempt to change is not needed unless it fails for permissions
> > reasons. So, limiting to actual changes is probably a good thing.
>
> Well, Richard seemed to "violently" agree with the opposite, so now I
> don't know which way to go... Paul, you are the official tie-breaker
> here, which do you prefer?

The general idea is that we only care about *changes* to the system
state, so if a process is setting a variable to with a value that
matches it's current value I see no reason why we need to generate a
change record.

Another thing to keep in mind, we can always change the behavior to be
more verbose (*always* generate a record, regardless of value) without
likely causing a regression, but limiting records is more difficult
and more likely to cause regressions.

-- 
paul moore
www.paul-moore.com