[RFC PATCH ghak10 v3 0/3] audit: Log modifying adjtimex(2) calls

Paul Moore paul at paul-moore.com
Wed Jul 18 18:36:11 UTC 2018


On Tue, Jul 3, 2018 at 8:44 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> I tried to implement separate records for each variable as suggested by
> Richard and it turned out to be quite straightforward and results in
> more compact and readable records (even though there is now a bit more
> of them).
>
> Changes in v3:
>   - Switched to separate records for each variable
>   - Both old and new value is now reported for each change
>   - Injecting offset is reported via a separate record (since this
>     offset consists of two values and is added directly to the clock,
>     i.e. it doesn't make sense to log old and new value)
>   - Added example records produced by chronyd -q (see the commit message
>     of the last patch)
>
> Changes in v2:
>   - The audit_adjtime() function has been modified to only log those
>     fields that contain values that are actually used, resulting in more
>     compact records.
>   - The audit_adjtime() call has been moved to do_adjtimex() in
>     timekeeping.c
>   - Added an additional patch (for review) that simplifies the detection
>     if the syscall is read-only.

Looking at these new records, and trying to guess a bit at the
original intent of the feature request, I think we may be going a bit
overboard with the information we are logging.  I'm thinking all we
really need to capture in the audit log is the system time both before
and after the change (for the sake of simplicity I suggest using a
data format similar to the audit record timestamp).

While I created the GH issue for this, I believe the original request
came from a Red Hat BZ that Steve created; Steve, what sort of
certification requirements (if any?) are there for logging system time
changes?

-- 
paul moore
www.paul-moore.com




More information about the Linux-audit mailing list