Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4951135imb;
        Thu, 7 Mar 2019 04:33:49 -0800 (PST)
X-Google-Smtp-Source: APXvYqxI30qYtXBAlA/li6vRMzr1jc5jHy525X+B/S1DjfHRtQmfBly7/jb9ArRpqbxb9Km2WqoU
X-Received: by 2002:a65:43cc:: with SMTP id n12mr10828883pgp.218.1551962028983;
        Thu, 07 Mar 2019 04:33:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551962028; cv=none;
        d=google.com; s=arc-20160816;
        b=LODAmZ5W6xmHVfLck7+qo2v4SrPsptUKJwK7UIIfo8PMKdW2JGGiszTuPJ0T/HVSM+
         oEmYrTCtCD76uQBavnvrffCdC7+Q4eGAlIWWp0QWIPKtyUXMyLoCKnGR6u9luGxMMtQe
         rPyWUzDULDw33xJ6d5QpUdTHSahSbc7NmneCdO86W7kP9nEyApCfsuCnDTQ4qwOel517
         lPbIfYGRFqpiE9R1Yq8EJ1k8R3/kjHlNZTQQ0mRxMePLkE0jIvNZCCugpSQ//SqTqQMj
         1wUwTcxJWozgeLAhElrAbcAVdaO7bxnJL3RBZVNgqIHYZNgK3HxdqTsO2Gbgl7TaEpAg
         gYdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=jaHZuHsZx3kSV8nyrEn89E5y39IWLwRofSTEoX/RSfo=;
        b=IEzHUizpP7pkiVKuitw0fMND4y0DrjCLsfHDVguZz8rMemnFoA7DQYev7UkjiQhO2g
         eogI4xY5gmDtly/MsNaeQ4yxUAKjvMtNlzzCODxZ/XLiuvj64oFESIGW91PSxEuYa3SR
         v4tAjORqF+B6ORTrmNJbUI/RgR2JKAX46YG1EwMU1Pp3HdrfwAZp2IAV9A7uKyjA3Pa4
         jI5UVUtxD6a2eemlPpBnZ4qOdJY08rolQPzHKjCKfEQFp6SfNsMHUK8KWGLqrHacG0nS
         gSJEF+tbx3I4HwB7rLV7hVnHXlepU3SyRuYvZgoyUNyZXh+4/MYp84yTYY87KRZZLzFc
         +O8A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p7si3921063pgm.335.2019.03.07.04.33.33;
        Thu, 07 Mar 2019 04:33:48 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726281AbfCGMdJ (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Thu, 7 Mar 2019 07:33:09 -0500
Received: from mail-wm1-f67.google.com ([209.85.128.67]:39789 "EHLO
        mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726120AbfCGMdI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Mar 2019 07:33:08 -0500
Received: by mail-wm1-f67.google.com with SMTP id z84so9063466wmg.4
        for <linux-kernel@vger.kernel.org>; Thu, 07 Mar 2019 04:33:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=jaHZuHsZx3kSV8nyrEn89E5y39IWLwRofSTEoX/RSfo=;
        b=FFBqw43RmhBcOBjwikcGqMx5eLg9sA/UxrwZP6cqDZRhxCQJ4iys0qFTYxXVr7y2gp
         CAe1LQkcV56QNGNf9j7YUDpkQTPLdVHiAYR3ME6OuDMBHpKoe9hQMRVAZSsSmkYglPfD
         vnPUzABsA+uu5VBaMbUBHfr4YZp49p8UZM18mNCS5YvOfgvtS37r901i5NFAjkQg6AQW
         yU377LaZJCLqcb4dhvRvRHwWvS246KGDjjxExOSMS3OHU5IM2PcmeOI+fY1ja66D6Xr5
         CwCHUhLTSiKGx96u0ScM06fTaS0bV8iDivocy8uJsLO4XGIoofGN0q779YZMNomCRAjn
         oCzQ==
X-Gm-Message-State: APjAAAXdPqLfo+IBRb2yGupq3PKN7L2frKwzZmnEgnHYsKVTPF/5HYU/
        UYcsS9Us+riE0ei71HHxxHhUNIP5Ulg=
X-Received: by 2002:a1c:1f51:: with SMTP id f78mr5310060wmf.28.1551961986672;
        Thu, 07 Mar 2019 04:33:06 -0800 (PST)
Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10])
        by smtp.gmail.com with ESMTPSA id f68sm10063507wmg.5.2019.03.07.04.33.05
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 07 Mar 2019 04:33:05 -0800 (PST)
From:   Ondrej Mosnacek <omosnace@redhat.com>
To:     linux-audit@redhat.com
Cc:     Paul Moore <paul@paul-moore.com>,
        Richard Guy Briggs <rgb@redhat.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Miroslav Lichvar <mlichvar@redhat.com>,
        John Stultz <john.stultz@linaro.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Stephen Boyd <sboyd@kernel.org>, linux-kernel@vger.kernel.org,
        Ondrej Mosnacek <omosnace@redhat.com>
Subject: [RFC PATCH ghak10 v6 0/2] audit: Log changes that can affect the system clock
Date:   Thu,  7 Mar 2019 13:32:52 +0100
Message-Id: <20190307123254.348-1-omosnace@redhat.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patchset implements auditing of (syscall-triggered) changes that
can modify or indirectly affect the system clock. Some of these
changes can already be detected by simply logging relevant syscalls,
but this has some disadvantages:
  a) It is usually not possible to find out from the syscall records
     the amount by which the time was shifted.
  b) Syscalls like adjtimex(2) or clock_adjtime(2) can be used also
     for read-only operations, which might flood the audit log with
     false positives. (Note that these patches don't solve this
     problem yet due to the limitations of current record filtering
     capabilities.)

The main motivation is to provide better reliability of timestamps
on the system as mandated by the FPT_STM.1 security functional
requirement from Common Criteria. This requirement apparently demands
that it is possible to reconstruct from audit trail the old and new
values of the time when it is adjusted (see [1]).

The current version of the patchset logs the following changes:
  - direct setting of system time to a given value
  - direct injection of timekeeping offset
  - adjustment of timekeeping's TAI offset
  - NTP value adjustments:
    - time_offset
    - time_freq
    - time_status
    - time_adjust
    - tick_usec

Changes to the following NTP values are not logged, as they are not
important for security:
  - time_maxerror
  - time_esterror
  - time_constant

Audit kernel GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10
Audit kernel RFE page: https://github.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditing-of-changes-to-system-clock

Testing: Passed audit-testuite; functional tests TBD

Changes in v6:
  - Reorganized the patches to group changes by record type, not
    kernel subsytem, as suggested in earlier discussions
  - Added checks to ignore no-change events (new value == old value)
  - Added TIME_INJOFFSET logging also to do_settimeofday64() to cover
    syscalls such as settimeofday(2), stime(2), clock_settime(2)
  - Created an RFE page on audit-kernel GitHub
TODO:
  - tests for audit-testsuite

v5: https://www.redhat.com/archives/linux-audit/2018-August/msg00039.html
Changes in v5:
  - Dropped logging of some less important changes and update commit messages
  - No longer mark the patchset as RFC

v4: https://www.redhat.com/archives/linux-audit/2018-August/msg00023.html
Changes in v4:
  - Squashed first two patches into one
  - Renamed ADJNTPVAL's "type" field to "op" to align with audit record
    conventions
  - Minor commit message editing
  - Cc timekeeping/NTP people for feedback

v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
Changes in v3:
  - Switched to separate records for each variable
  - Both old and new value is now reported for each change
  - Injecting offset is reported via a separate record (since this
    offset consists of two values and is added directly to the clock,
    i.e. it doesn't make sense to log old and new value)
  - Added example records produced by chronyd -q (see the commit message
    of the last patch)

v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
Changes in v2:
  - The audit_adjtime() function has been modified to only log those
    fields that contain values that are actually used, resulting in more
    compact records.
  - The audit_adjtime() call has been moved to do_adjtimex() in
    timekeeping.c
  - Added an additional patch (for review) that simplifies the detection
    if the syscall is read-only.

v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html

[1] https://www.niap-ccevs.org/MMO/PP/pp_ca_v2.1.pdf -- section 5.1,
    table 4

Ondrej Mosnacek (2):
  timekeeping: Audit clock adjustments
  ntp: Audit NTP parameters adjustment

 include/linux/audit.h      | 29 +++++++++++++++++++++++++++++
 include/uapi/linux/audit.h |  2 ++
 kernel/auditsc.c           | 15 +++++++++++++++
 kernel/time/ntp.c          | 38 ++++++++++++++++++++++++++++++--------
 kernel/time/timekeeping.c  |  6 ++++++
 5 files changed, 82 insertions(+), 8 deletions(-)

-- 
2.20.1