From: Ondrej Mosnacek <omosnace@redhat.com>
To: linux-audit@redhat.com
Cc: Paul Moore <paul@paul-moore.com>,
Richard Guy Briggs <rgb@redhat.com>,
Steve Grubb <sgrubb@redhat.com>,
John Stultz <john.stultz@linaro.org>,
Thomas Gleixner <tglx@linutronix.de>,
Stephen Boyd <sboyd@kernel.org>,
linux-kernel@vger.kernel.org,
Ondrej Mosnacek <omosnace@redhat.com>
Subject: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls
Date: Mon, 20 Aug 2018 14:38:16 +0200 [thread overview]
Message-ID: <20180820123818.27547-1-omosnace@redhat.com> (raw)
Hi,
this patchset implements more detailed auditing of the adjtimex(2)
syscall in order to make it possible to:
a) distinguish modifying vs. read-only calls in the audit log
b) reconstruct from the audit log what changes were made and how they
have influenced the system clock
The main motivation is to be able to detect an adversary that tries to
confuse the audit timestamps by changing system time via adjtimex(2),
but at the same time avoid flooding the audit log with records of benign
read-only adjtimex(2) calls.
@John or other timekeeping/NTP folks: We had a discussion on the audit
ML on which of the internal timekeeping/NTP variables we should actually
log changes for. We are only interested in variables that can (directly
or indirectly) cause noticeable changes to the system clock, but since we
have only limited understanding of the NTP code, we would like to ask
you for advice on which variables are security relevant.
Right now, the patchset is conservative and logs all changes that can be
done via adjtimex(2):
- direct injection of timekeeping offset (obviously relevant)
- adjustment of timekeeping's TAI offset
- NTP value adjustments:
- time_offset (probably important)
- time_freq (maybe not important?)
- time_status (likely important, can cause leap second injection)
- time_maxerror (maybe not important?)
- time_esterror (maybe not important?)
- time_constant (???)
- time_adjust (sounds important)
- tick_usec (???)
Could you please give us some hints on the effect of changing these
variables and whether you think that it is important to log their
changes?
Thanks a lot!
GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10
Changes in v4:
- Squashed first two patches into one
- Rename ADJNTPVAL's "type" field to "op" to align with audit record
conventions
- Minor commit message editing
- Cc timekeeping/NTP people for feedback
v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
Changes in v3:
- Switched to separate records for each variable
- Both old and new value is now reported for each change
- Injecting offset is reported via a separate record (since this
offset consists of two values and is added directly to the clock,
i.e. it doesn't make sense to log old and new value)
- Added example records produced by chronyd -q (see the commit message
of the last patch)
v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
Changes in v2:
- The audit_adjtime() function has been modified to only log those
fields that contain values that are actually used, resulting in more
compact records.
- The audit_adjtime() call has been moved to do_adjtimex() in
timekeeping.c
- Added an additional patch (for review) that simplifies the detection
if the syscall is read-only.
v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
Ondrej Mosnacek (2):
audit: Add functions to log time adjustments
timekeeping/ntp: Audit clock/NTP params adjustments
include/linux/audit.h | 21 ++++++++++++++++
include/uapi/linux/audit.h | 2 ++
kernel/auditsc.c | 15 ++++++++++++
kernel/time/ntp.c | 50 ++++++++++++++++++++++++++++++--------
kernel/time/timekeeping.c | 3 +++
5 files changed, 81 insertions(+), 10 deletions(-)
--
2.17.1
next reply other threads:[~2018-08-20 12:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-20 12:38 Ondrej Mosnacek [this message]
2018-08-20 12:38 ` [RFC PATCH ghak10 v4 1/2] audit: Add functions to log time adjustments Ondrej Mosnacek
2018-08-20 12:38 ` [RFC PATCH ghak10 v4 2/2] timekeeping/ntp: Audit clock/NTP params adjustments Ondrej Mosnacek
2018-08-20 15:21 ` [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls Thomas Gleixner
2018-08-21 7:21 ` Miroslav Lichvar
2018-08-22 21:27 ` Paul Moore
2018-08-23 9:14 ` Ondrej Mosnacek
2018-08-23 11:50 ` Paul Moore
2018-08-24 14:56 ` Steve Grubb
2018-09-13 13:58 ` Ondrej Mosnacek
2018-09-13 14:07 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180820123818.27547-1-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=john.stultz@linaro.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=sboyd@kernel.org \
--cc=sgrubb@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).