From mboxrd@z Thu Jan  1 00:00:00 1970
From: Miroslav Lichvar <mlichvar@redhat.com>
Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time
 adjustments
Date: Mon, 27 Aug 2018 09:50:20 +0200
Message-ID: <20180827075020.GL27091@localhost>
References: <20180824120001.20771-1-omosnace@redhat.com>
 <20180824120001.20771-2-omosnace@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-kernel-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <20180824120001.20771-2-omosnace@redhat.com>
Sender: linux-kernel-owner@vger.kernel.org
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: linux-audit@redhat.com, Paul Moore <paul@paul-moore.com>, Richard Guy Briggs <rgb@redhat.com>, Steve Grubb <sgrubb@redhat.com>, John Stultz <john.stultz@linaro.org>, Thomas Gleixner <tglx@linutronix.de>, Stephen Boyd <sboyd@kernel.org>, linux-kernel@vger.kernel.org
List-Id: linux-audit@redhat.com

On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> This patch adds two auxiliary record types that will be used to annotate
> the adjtimex SYSCALL records with the NTP/timekeeping values that have
> been changed.

It seems the "adjust" function intentionally logs also calls/modes
that don't actually change anything. Can you please explain it a bit
in the message?

NTP/PTP daemons typically don't read the adjtimex values in a normal
operation and overwrite them on each update, even if they don't
change. If the audit function checked that oldval != newval, the
number of messages would be reduced and it might be easier to follow.

-- 
Miroslav Lichvar