From: Steve Grubb <sgrubb@redhat.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>,
Miroslav Lichvar <mlichvar@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
Richard Guy Briggs <rgb@redhat.com>,
John Stultz <john.stultz@linaro.org>,
Stephen Boyd <sboyd@kernel.org>,
Linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls
Date: Thu, 13 Sep 2018 10:07:54 -0400 [thread overview]
Message-ID: <192111258.UpI01XQOzn@x2> (raw)
In-Reply-To: <CAFqZXNtsjAt3ks7L=e24UVhx23bihz1MLN7gKihs=LFJDShutg@mail.gmail.com>
On Thursday, September 13, 2018 9:58:32 AM EDT Ondrej Mosnacek wrote:
> On Fri, Aug 24, 2018 at 4:56 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, August 22, 2018 5:27:17 PM EDT Paul Moore wrote:
> > > On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar <mlichvar@redhat.com>
> >
> > wrote:
> > > > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote:
> > > > > > @John or other timekeeping/NTP folks: We had a discussion on the
> > > > > > audit
> > > > > > ML on which of the internal timekeeping/NTP variables we should
> > > > > > actually
> > > > > > log changes for. We are only interested in variables that can
> > > > > > (directly
> > > > > > or indirectly) cause noticeable changes to the system clock, but
> > > > > > since we
> > > > > > have only limited understanding of the NTP code, we would like to
> > > > > > ask
> > > > > > you for advice on which variables are security relevant.
> > > >
> > > > I guess that mostly depends on whether you consider setting the clock
> > > > to run faster or slower than real time to be an important event for
> > > > the audit.
> > > >
> > > > > > - NTP value adjustments:
> > > > > > - time_offset (probably important)
> > > >
> > > > This can adjust the clock by up to 0.5 seconds per call and also
> > > > speed
> > > > it up or slow down by up to about 0.05% (43 seconds per day).
> > >
> > > This seems worthwhile.
> > >
> > > > > > - time_freq (maybe not important?)
> > > >
> > > > This can speed up or slow down by up to about 0.05%.
> > >
> > > This too.
> > >
> > > > > > - time_status (likely important, can cause leap second injection)
> > > >
> > > > Yes, it can insert/delete leap seconds and it also enables/disables
> > > > synchronization of the hardware real-time clock.
> > >
> > > This one as well.
> > >
> > > > > > - time_maxerror (maybe not important?)
> > > > > > - time_esterror (maybe not important?)
> > > >
> > > > These two change the error estimates that are reported to
> > > > applications
> > > > using ntp_gettime()/adjtimex(). If an application was periodically
> > > > checking that the clock is synchronized with some specified accuracy
> > > > and setting the maxerror to a larger value would cause the
> > > > application to abort, would it be an important event in the audit?
> > >
> > > Since these don't really affect the time, just the expected error, I'm
> > > not sure this is important.
> >
> > I don't think so.
>
> Sorry, just to make sure I understand it right - do you (also) not
> think it is important or do you not think it is not important? :)
I do not think its important to record the errors since the exit code tells
us there's a problem. IOW, I'm agreeing with Paul.
-Steve
prev parent reply other threads:[~2018-09-13 14:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-20 12:38 [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls Ondrej Mosnacek
2018-08-20 12:38 ` [RFC PATCH ghak10 v4 1/2] audit: Add functions to log time adjustments Ondrej Mosnacek
2018-08-20 12:38 ` [RFC PATCH ghak10 v4 2/2] timekeeping/ntp: Audit clock/NTP params adjustments Ondrej Mosnacek
2018-08-20 15:21 ` [RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls Thomas Gleixner
2018-08-21 7:21 ` Miroslav Lichvar
2018-08-22 21:27 ` Paul Moore
2018-08-22 21:27 ` Paul Moore
2018-08-23 9:14 ` Ondrej Mosnacek
2018-08-23 11:50 ` Paul Moore
2018-08-24 14:56 ` Steve Grubb
2018-09-13 13:58 ` Ondrej Mosnacek
2018-09-13 13:58 ` Ondrej Mosnacek
2018-09-13 14:07 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=192111258.UpI01XQOzn@x2 \
--to=sgrubb@redhat.com \
--cc=john.stultz@linaro.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mlichvar@redhat.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=sboyd@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.