Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3924637imm; Mon, 17 Sep 2018 05:34:46 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZuDy66HAkPJWovz+iI2M6xpGq2D2xhLRiZ3smDnyjjxLC/rz2qZx7XLbI1hOBpLDYePBbM X-Received: by 2002:a62:1d54:: with SMTP id d81-v6mr25815685pfd.139.1537187685956; Mon, 17 Sep 2018 05:34:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537187685; cv=none; d=google.com; s=arc-20160816; b=rHHg6oqptJCPWKh/NeXaO6401JqZ6bB++kplEoRdo16Kqqk3ppncxadENxmeGSaRUP je6s6SgJukQn0yvgPtmDCbMV9KMZPIk4V6kXu787DlEjwKM3yUWFGlL+Uzp6IX6lUY7w UqUeNXzfdmV8rvmp/2nS1ffeAovq/EzeEcusktrsw63mj/cWkccTRNKKPJJpu+s7Rz7i xhCTQIQinrO1ITlM2/e8ImcoSrI398vLc98HmHklaG6mmB+pLKLvBBBNOdQKAGe03U6n 8/MvxZpFFnu58aw1Rjlsk4DjRF1GQezpI2i57QxchmVf/pWL44XJlo0glM48aotf9O2/ U2pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=zcOdeIvs8mPFfCShlKEEH1peTl0C5koXCKOgyR8sEAc=; b=QGvzghrpCJWUrUvQL/Jml0j7XUW18ia1i18PW3S+8GeF+x8sX2rW8JsTG2K8UKPNaX /I04yBFgZ2Mhcpv52m7o3dolvXWCm6giRYd6GGuJHdbFBI8HZKzumd/NTqXjU9LPE+4N zR7MO+T/c0tXhFiiFrA672Aay3wfZzS3pB3J+pxtB+DETR4P2MlSZWWVGuqgaPoOJsUn mnTGZrziegnZhkT3cepWQ7zs8JK68PQmnj9T8WZI01EEmKiMI1UB/q0obVFoTiZZA6y+ 3ql4ENU5uobnJ07grbbaASZlXbat+OFOWWnWlgY1WGCGykAWv8r7aU+/+Lf6wHpgPu2H gPvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1-v6si16896639pff.1.2018.09.17.05.34.30; Mon, 17 Sep 2018 05:34:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728559AbeIQSBS (ORCPT + 99 others); Mon, 17 Sep 2018 14:01:18 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:33987 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728545AbeIQSBR (ORCPT ); Mon, 17 Sep 2018 14:01:17 -0400 Received: by mail-oi0-f65.google.com with SMTP id 13-v6so18749002ois.1 for ; Mon, 17 Sep 2018 05:34:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zcOdeIvs8mPFfCShlKEEH1peTl0C5koXCKOgyR8sEAc=; b=ILJoz7dv2SC9u5mCf95ENcoOonyW1vzlk1bKUjOO5BfqI2aV2Q9M9yPmV1vbPxoS9Z YHF60y6a7G19Iu7WXifPAHw20a+nxNwbv6ML/MOos5ZJJ5qi+eY9fNE5BfEKiPbhOzz/ cpCSD0LR9tb+voF5r9zEpRTVhNhc6XNP688mc08d/FQhG5ilhnzBtPruRLGy1c0Takds bDXqN0zQoSlFUb7dxcUZzDnoS52EM6sNzTCo1v/E4R2h6c3YNT+C1r2rmnD4BE3Hu12w qym8jiv55IOJD9L9bAScmLfhHvroEwzc/8TjouBbrCev4dZfjiI1Ckphp9khWJlU/FQO D7Sg== X-Gm-Message-State: APzg51CdNna4clCOK3G/SG0m2TBohf9gdGirzjHE3a+JmtOIhpcqs0TC B6bJF5JTl0iRzGZFS3Tpm4r8J6o744yJ2To9roIu1w== X-Received: by 2002:aca:3bc2:: with SMTP id i185-v6mr17401704oia.156.1537187649922; Mon, 17 Sep 2018 05:34:09 -0700 (PDT) MIME-Version: 1.0 References: <20180824120001.20771-1-omosnace@redhat.com> <20180827075020.GL27091@localhost> <4819575.TSNxuEWROA@x2> In-Reply-To: From: Ondrej Mosnacek Date: Mon, 17 Sep 2018 14:33:58 +0200 Message-ID: Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments To: Paul Moore Cc: Steve Grubb , Miroslav Lichvar , Linux-Audit Mailing List , Richard Guy Briggs , John Stultz , Thomas Gleixner , Stephen Boyd , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 14, 2018 at 5:09 AM Paul Moore wrote: > On Thu, Sep 13, 2018 at 9:59 AM Ondrej Mosnacek wrote: > > On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb wrote: > > > On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote: > > > > On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar > > > wrote: > > > > > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote: > > > > > > This patch adds two auxiliary record types that will be used to > > > > > > annotate > > > > > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > > > > > been changed. > > > > > > > > > > It seems the "adjust" function intentionally logs also calls/modes > > > > > that don't actually change anything. Can you please explain it a bit > > > > > in the message? > > > > > > > > > > NTP/PTP daemons typically don't read the adjtimex values in a normal > > > > > operation and overwrite them on each update, even if they don't > > > > > change. If the audit function checked that oldval != newval, the > > > > > number of messages would be reduced and it might be easier to follow. > > > > > > > > We actually want to log any attempt to change a value, as even an > > > > intention to set/change something could be a hint that the process is > > > > trying to do something bad (see discussion at [1]). > > > > > > One of the problems is that these applications can flood the logs very > > > quickly. An attempt to change is not needed unless it fails for permissions > > > reasons. So, limiting to actual changes is probably a good thing. > > > > Well, Richard seemed to "violently" agree with the opposite, so now I > > don't know which way to go... Paul, you are the official tie-breaker > > here, which do you prefer? > > The general idea is that we only care about *changes* to the system > state, so if a process is setting a variable to with a value that > matches it's current value I see no reason why we need to generate a > change record. > > Another thing to keep in mind, we can always change the behavior to be > more verbose (*always* generate a record, regardless of value) without > likely causing a regression, but limiting records is more difficult > and more likely to cause regressions. OK, that makes sense. I'll limit logging to actual changes in the next revision. > > -- > paul moore > www.paul-moore.com -- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc.