From: Thomas Gleixner <tglx@linutronix.de>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: linux-audit@redhat.com, Paul Moore <paul@paul-moore.com>,
Richard Guy Briggs <rgb@redhat.com>,
Steve Grubb <sgrubb@redhat.com>,
John Stultz <john.stultz@linaro.org>,
Stephen Boyd <sboyd@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Miroslav Lichvar <mlichvar@redhat.com>
Subject: Re: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls
Date: Mon, 20 Aug 2018 17:21:57 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.21.1808201721350.1551@nanos.tec.linutronix.de> (raw)
In-Reply-To: <20180820123818.27547-1-omosnace@redhat.com>
On Mon, 20 Aug 2018, Ondrej Mosnacek wrote:
+ Miroslav Lichvar
> Hi,
>
> this patchset implements more detailed auditing of the adjtimex(2)
> syscall in order to make it possible to:
> a) distinguish modifying vs. read-only calls in the audit log
> b) reconstruct from the audit log what changes were made and how they
> have influenced the system clock
>
> The main motivation is to be able to detect an adversary that tries to
> confuse the audit timestamps by changing system time via adjtimex(2),
> but at the same time avoid flooding the audit log with records of benign
> read-only adjtimex(2) calls.
>
> @John or other timekeeping/NTP folks: We had a discussion on the audit
> ML on which of the internal timekeeping/NTP variables we should actually
> log changes for. We are only interested in variables that can (directly
> or indirectly) cause noticeable changes to the system clock, but since we
> have only limited understanding of the NTP code, we would like to ask
> you for advice on which variables are security relevant.
>
> Right now, the patchset is conservative and logs all changes that can be
> done via adjtimex(2):
> - direct injection of timekeeping offset (obviously relevant)
> - adjustment of timekeeping's TAI offset
> - NTP value adjustments:
> - time_offset (probably important)
> - time_freq (maybe not important?)
> - time_status (likely important, can cause leap second injection)
> - time_maxerror (maybe not important?)
> - time_esterror (maybe not important?)
> - time_constant (???)
> - time_adjust (sounds important)
> - tick_usec (???)
>
> Could you please give us some hints on the effect of changing these
> variables and whether you think that it is important to log their
> changes?
>
> Thanks a lot!
>
>
> GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10
>
> Changes in v4:
> - Squashed first two patches into one
> - Rename ADJNTPVAL's "type" field to "op" to align with audit record
> conventions
> - Minor commit message editing
> - Cc timekeeping/NTP people for feedback
>
> v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
> Changes in v3:
> - Switched to separate records for each variable
> - Both old and new value is now reported for each change
> - Injecting offset is reported via a separate record (since this
> offset consists of two values and is added directly to the clock,
> i.e. it doesn't make sense to log old and new value)
> - Added example records produced by chronyd -q (see the commit message
> of the last patch)
>
> v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
> Changes in v2:
> - The audit_adjtime() function has been modified to only log those
> fields that contain values that are actually used, resulting in more
> compact records.
> - The audit_adjtime() call has been moved to do_adjtimex() in
> timekeeping.c
> - Added an additional patch (for review) that simplifies the detection
> if the syscall is read-only.
>
> v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
>
> Ondrej Mosnacek (2):
> audit: Add functions to log time adjustments
> timekeeping/ntp: Audit clock/NTP params adjustments
>
> include/linux/audit.h | 21 ++++++++++++++++
> include/uapi/linux/audit.h | 2 ++
> kernel/auditsc.c | 15 ++++++++++++
> kernel/time/ntp.c | 50 ++++++++++++++++++++++++++++++--------
> kernel/time/timekeeping.c | 3 +++
> 5 files changed, 81 insertions(+), 10 deletions(-)
>
> --
> 2.17.1
>
>
next prev parent reply other threads:[~2018-08-20 15:22 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-20 12:38 [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls Ondrej Mosnacek
2018-08-20 12:38 ` [RFC PATCH ghak10 v4 1/2] audit: Add functions to log time adjustments Ondrej Mosnacek
2018-08-20 12:38 ` [RFC PATCH ghak10 v4 2/2] timekeeping/ntp: Audit clock/NTP params adjustments Ondrej Mosnacek
2018-08-20 15:21 ` Thomas Gleixner [this message]
2018-08-21 7:21 ` [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls Miroslav Lichvar
2018-08-22 21:27 ` Paul Moore
2018-08-23 9:14 ` Ondrej Mosnacek
2018-08-23 11:50 ` Paul Moore
2018-08-24 14:56 ` Steve Grubb
2018-09-13 13:58 ` Ondrej Mosnacek
2018-09-13 14:07 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.21.1808201721350.1551@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=john.stultz@linaro.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mlichvar@redhat.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=sboyd@kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).