Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3924637imm;
        Mon, 17 Sep 2018 05:34:46 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdZuDy66HAkPJWovz+iI2M6xpGq2D2xhLRiZ3smDnyjjxLC/rz2qZx7XLbI1hOBpLDYePBbM
X-Received: by 2002:a62:1d54:: with SMTP id d81-v6mr25815685pfd.139.1537187685956;
        Mon, 17 Sep 2018 05:34:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537187685; cv=none;
        d=google.com; s=arc-20160816;
        b=rHHg6oqptJCPWKh/NeXaO6401JqZ6bB++kplEoRdo16Kqqk3ppncxadENxmeGSaRUP
         je6s6SgJukQn0yvgPtmDCbMV9KMZPIk4V6kXu787DlEjwKM3yUWFGlL+Uzp6IX6lUY7w
         UqUeNXzfdmV8rvmp/2nS1ffeAovq/EzeEcusktrsw63mj/cWkccTRNKKPJJpu+s7Rz7i
         xhCTQIQinrO1ITlM2/e8ImcoSrI398vLc98HmHklaG6mmB+pLKLvBBBNOdQKAGe03U6n
         8/MvxZpFFnu58aw1Rjlsk4DjRF1GQezpI2i57QxchmVf/pWL44XJlo0glM48aotf9O2/
         U2pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version;
        bh=zcOdeIvs8mPFfCShlKEEH1peTl0C5koXCKOgyR8sEAc=;
        b=QGvzghrpCJWUrUvQL/Jml0j7XUW18ia1i18PW3S+8GeF+x8sX2rW8JsTG2K8UKPNaX
         /I04yBFgZ2Mhcpv52m7o3dolvXWCm6giRYd6GGuJHdbFBI8HZKzumd/NTqXjU9LPE+4N
         zR7MO+T/c0tXhFiiFrA672Aay3wfZzS3pB3J+pxtB+DETR4P2MlSZWWVGuqgaPoOJsUn
         mnTGZrziegnZhkT3cepWQ7zs8JK68PQmnj9T8WZI01EEmKiMI1UB/q0obVFoTiZZA6y+
         3ql4ENU5uobnJ07grbbaASZlXbat+OFOWWnWlgY1WGCGykAWv8r7aU+/+Lf6wHpgPu2H
         gPvQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w1-v6si16896639pff.1.2018.09.17.05.34.30;
        Mon, 17 Sep 2018 05:34:45 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728559AbeIQSBS (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Mon, 17 Sep 2018 14:01:18 -0400
Received: from mail-oi0-f65.google.com ([209.85.218.65]:33987 "EHLO
        mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728545AbeIQSBR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Sep 2018 14:01:17 -0400
Received: by mail-oi0-f65.google.com with SMTP id 13-v6so18749002ois.1
        for <linux-kernel@vger.kernel.org>; Mon, 17 Sep 2018 05:34:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=zcOdeIvs8mPFfCShlKEEH1peTl0C5koXCKOgyR8sEAc=;
        b=ILJoz7dv2SC9u5mCf95ENcoOonyW1vzlk1bKUjOO5BfqI2aV2Q9M9yPmV1vbPxoS9Z
         YHF60y6a7G19Iu7WXifPAHw20a+nxNwbv6ML/MOos5ZJJ5qi+eY9fNE5BfEKiPbhOzz/
         cpCSD0LR9tb+voF5r9zEpRTVhNhc6XNP688mc08d/FQhG5ilhnzBtPruRLGy1c0Takds
         bDXqN0zQoSlFUb7dxcUZzDnoS52EM6sNzTCo1v/E4R2h6c3YNT+C1r2rmnD4BE3Hu12w
         qym8jiv55IOJD9L9bAScmLfhHvroEwzc/8TjouBbrCev4dZfjiI1Ckphp9khWJlU/FQO
         D7Sg==
X-Gm-Message-State: APzg51CdNna4clCOK3G/SG0m2TBohf9gdGirzjHE3a+JmtOIhpcqs0TC
        B6bJF5JTl0iRzGZFS3Tpm4r8J6o744yJ2To9roIu1w==
X-Received: by 2002:aca:3bc2:: with SMTP id i185-v6mr17401704oia.156.1537187649922;
 Mon, 17 Sep 2018 05:34:09 -0700 (PDT)
MIME-Version: 1.0
References: <20180824120001.20771-1-omosnace@redhat.com> <20180827075020.GL27091@localhost>
 <CAFqZXNvADB-E_fjEaQpUymSVvfP-vXQXtk3K+nJ9DqrScHL8bQ@mail.gmail.com>
 <4819575.TSNxuEWROA@x2> <CAFqZXNtzSU0KjFwYzqJCQybEvJz1GhQZHxRfJ2hj=6o_RGGLLA@mail.gmail.com>
 <CAHC9VhQwPsK1PJ=wiiG-jt-e5SXoBr0FeaL9dP=7kn2SUftDXQ@mail.gmail.com>
In-Reply-To: <CAHC9VhQwPsK1PJ=wiiG-jt-e5SXoBr0FeaL9dP=7kn2SUftDXQ@mail.gmail.com>
From:   Ondrej Mosnacek <omosnace@redhat.com>
Date:   Mon, 17 Sep 2018 14:33:58 +0200
Message-ID: <CAFqZXNt-4NOEimdZXrtAGvNYVm7apNUPnAM=OAp8W+h06Qu65g@mail.gmail.com>
Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments
To:     Paul Moore <paul@paul-moore.com>
Cc:     Steve Grubb <sgrubb@redhat.com>,
        Miroslav Lichvar <mlichvar@redhat.com>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>,
        John Stultz <john.stultz@linaro.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Stephen Boyd <sboyd@kernel.org>,
        Linux kernel mailing list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Sep 14, 2018 at 5:09 AM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Sep 13, 2018 at 9:59 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote:
> > > > On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar <mlichvar@redhat.com>
> > > wrote:
> > > > > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> > > > > > This patch adds two auxiliary record types that will be used to
> > > > > > annotate
> > > > > > the adjtimex SYSCALL records with the NTP/timekeeping values that have
> > > > > > been changed.
> > > > >
> > > > > It seems the "adjust" function intentionally logs also calls/modes
> > > > > that don't actually change anything. Can you please explain it a bit
> > > > > in the message?
> > > > >
> > > > > NTP/PTP daemons typically don't read the adjtimex values in a normal
> > > > > operation and overwrite them on each update, even if they don't
> > > > > change. If the audit function checked that oldval != newval, the
> > > > > number of messages would be reduced and it might be easier to follow.
> > > >
> > > > We actually want to log any attempt to change a value, as even an
> > > > intention to set/change something could be a hint that the process is
> > > > trying to do something bad (see discussion at [1]).
> > >
> > > One of the problems is that these applications can flood the logs very
> > > quickly. An attempt to change is not needed unless it fails for permissions
> > > reasons. So, limiting to actual changes is probably a good thing.
> >
> > Well, Richard seemed to "violently" agree with the opposite, so now I
> > don't know which way to go... Paul, you are the official tie-breaker
> > here, which do you prefer?
>
> The general idea is that we only care about *changes* to the system
> state, so if a process is setting a variable to with a value that
> matches it's current value I see no reason why we need to generate a
> change record.
>
> Another thing to keep in mind, we can always change the behavior to be
> more verbose (*always* generate a record, regardless of value) without
> likely causing a regression, but limiting records is more difficult
> and more likely to cause regressions.

OK, that makes sense. I'll limit logging to actual changes in the next revision.

>
> --
> paul moore
> www.paul-moore.com

--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.