Re: [RFC PATCH ghak10 2/3] audit: Add the audit_adjtime() function
On Tuesday, June 19, 2018 4:57:37 AM EDT Ondrej Mosnacek wrote:
2018-06-18 20:39 GMT+02:00 Steve Grubb <sgrubb(a)redhat.com>:
> On Friday, June 15, 2018 8:45:22 AM EDT Ondrej Mosnacek wrote:
>> This patch adds a new function that shall be used to log any
>> modification of the system's clock (via the adjtimex() syscall).
>>
>> The function logs an audit record of type AUDIT_TIME_ADJUSTED with the
>> following fields:
>> * txmodes (the 'modes' field of struct timex)
>> * txoffset (the 'offset' field of struct timex)
>> * txfreq (the 'freq' field of struct timex)
>> * txmaxerr (the 'maxerror' field of struct timex)
>> * txesterr (the 'esterror' field of struct timex)
>> * txstatus (the 'status' field of struct timex)
>> * txconst (the 'constant' field of struct timex)
>> * txsec, txusec (the 'tv_sec' and 'tv_usec' fields of the
'time' field
>> of struct timex (respectively))
>> * txtick (the 'tick' field of struct timex)
>
> Are all of these fields security relevant? Primarily what we need to know
> is if time is being adjusted. This is relevant because a bad guy may
> adjust system time to make something appear to happen earlier or later
> than it really did which make correlation hard or impossible.
This is still an open question for me... On the one hand, we might
want to know exactly what the bad guy was trying to do ("He changed
the offset to 500 ms." vs. just "He adjusted the clock."), on the
other hand, we may not really care and consider it yet another junk
data in the logs... A possible compromise could be to log only
relevant fields (see 'Possible improvements' in the commit message).
Assuming ntpd or other authorized applications would only modify
one/few variables at a time, this would add only a few fields to the
record each time.
I think we want the modes field so that we know what was changed. But do we
really need to know maxerror or status? I think we should limit this to the
modes and any value of a time adjustment.
Note that this new auxiliary record gets only logged on *modifying*
operations, which should not be that frequent, and thus it shouldn't
be a problem to output a bit of potentially useful information.
We're after just security information.
That said, I don't mind logging just an empty record if that is
preferred.
An empty buffer doesn't tell us what was adjusted.
Thanks,
-Steve