From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ondrej Mosnacek <omosnace@redhat.com>
Subject: [RFC PATCH ghak10 v3 0/3] audit: Log modifying adjtimex(2) calls
Date: Tue,  3 Jul 2018 14:44:34 +0200
Message-ID: <20180703124437.22733-1-omosnace@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.42])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 86BE418E3A
	for <linux-audit@redhat.com>; Tue,  3 Jul 2018 12:44:58 +0000 (UTC)
Received: from mail-wr0-f199.google.com (mail-wr0-f199.google.com
	[209.85.128.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 89DE23082123
	for <linux-audit@redhat.com>; Tue,  3 Jul 2018 12:44:58 +0000 (UTC)
Received: by mail-wr0-f199.google.com with SMTP id k18-v6so943915wrn.8
	for <linux-audit@redhat.com>; Tue, 03 Jul 2018 05:44:58 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
List-Id: linux-audit@redhat.com

I tried to implement separate records for each variable as suggested by
Richard and it turned out to be quite straightforward and results in
more compact and readable records (even though there is now a bit more
of them).

Changes in v3:
  - Switched to separate records for each variable
  - Both old and new value is now reported for each change
  - Injecting offset is reported via a separate record (since this
    offset consists of two values and is added directly to the clock,
    i.e. it doesn't make sense to log old and new value)
  - Added example records produced by chronyd -q (see the commit message
    of the last patch)

Changes in v2:
  - The audit_adjtime() function has been modified to only log those
    fields that contain values that are actually used, resulting in more
    compact records.
  - The audit_adjtime() call has been moved to do_adjtimex() in
    timekeeping.c
  - Added an additional patch (for review) that simplifies the detection
    if the syscall is read-only.