| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Apr 2019 18:28:37 -0400
From: Paul Moore <paul@...l-moore.com>
To: Ondrej Mosnacek <omosnace@...hat.com>
Cc: linux-audit@...hat.com, Richard Guy Briggs <rgb@...hat.com>,
Steve Grubb <sgrubb@...hat.com>,
Miroslav Lichvar <mlichvar@...hat.com>,
John Stultz <john.stultz@...aro.org>,
Thomas Gleixner <tglx@...utronix.de>,
Stephen Boyd <sboyd@...nel.org>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH ghak10 v8 2/2] ntp: Audit NTP parameters adjustment
On Wed, Apr 10, 2019 at 5:14 AM Ondrej Mosnacek <omosnace@...hat.com> wrote:
>
> Emit an audit record every time selected NTP parameters are modified
> from userspace (via adjtimex(2) or clock_adjtime(2)). These parameters
> may be used to indirectly change system clock, and thus their
> modifications should be audited.
>
> Such events will now generate records of type AUDIT_TIME_ADJNTPVAL
> containing the following fields:
> - op -- which value was adjusted:
> - offset -- corresponding to the time_offset variable
> - freq -- corresponding to the time_freq variable
> - status -- corresponding to the time_status variable
> - adjust -- corresponding to the time_adjust variable
> - tick -- corresponding to the tick_usec variable
> - tai -- corresponding to the timekeeping's TAI offset
> - old -- the old value
> - new -- the new value
>
> Example records:
>
> type=TIME_ADJNTPVAL msg=audit(1530616044.507:7): op=status old=64 new=8256
> type=TIME_ADJNTPVAL msg=audit(1530616044.511:11): op=freq old=0 new=49180377088000
>
> The records of this type will be associated with the corresponding
> syscall records.
>
> An overview of parameter changes that can be done via do_adjtimex()
> (based on information from Miroslav Lichvar) and whether they are
> audited:
> __timekeeping_set_tai_offset() -- sets the offset from the
> International Atomic Time
> (AUDITED)
> NTP variables:
> time_offset -- can adjust the clock by up to 0.5 seconds per call
> and also speed it up or slow down by up to about
> 0.05% (43 seconds per day) (AUDITED)
> time_freq -- can speed up or slow down by up to about 0.05%
> (AUDITED)
> time_status -- can insert/delete leap seconds and it also enables/
> disables synchronization of the hardware real-time
> clock (AUDITED)
> time_maxerror, time_esterror -- change error estimates used to
> inform userspace applications
> (NOT AUDITED)
> time_constant -- controls the speed of the clock adjustments that
> are made when time_offset is set (NOT AUDITED)
> time_adjust -- can temporarily speed up or slow down the clock by up
> to 0.05% (AUDITED)
> tick_usec -- a more extreme version of time_freq; can speed up or
> slow down the clock by up to 10% (AUDITED)
>
> Signed-off-by: Ondrej Mosnacek <omosnace@...hat.com>
> Reviewed-by: Richard Guy Briggs <rgb@...hat.com>
> Reviewed-by: Thomas Gleixner <tglx@...utronix.de>
> ---
> include/linux/audit.h | 61 ++++++++++++++++++++++++++++++++++++++
> include/uapi/linux/audit.h | 1 +
> kernel/auditsc.c | 22 ++++++++++++++
> kernel/time/ntp.c | 22 ++++++++++++--
> kernel/time/ntp_internal.h | 4 ++-
> kernel/time/timekeeping.c | 7 ++++-
> 6 files changed, 112 insertions(+), 5 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists