On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote:
> On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar <mlichvar(a)redhat.com>
wrote:
> > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> > > This patch adds two auxiliary record types that will be used to
> > > annotate
> > > the adjtimex SYSCALL records with the NTP/timekeeping values that have
> > > been changed.
> >
> > It seems the "adjust" function intentionally logs also calls/modes
> > that don't actually change anything. Can you please explain it a bit
> > in the message?
> >
> > NTP/PTP daemons typically don't read the adjtimex values in a normal
> > operation and overwrite them on each update, even if they don't
> > change. If the audit function checked that oldval != newval, the
> > number of messages would be reduced and it might be easier to follow.
>
> We actually want to log any attempt to change a value, as even an
> intention to set/change something could be a hint that the process is
> trying to do something bad (see discussion at [1]).
One of the problems is that these applications can flood the logs very
quickly. An attempt to change is not needed unless it fails for permissions
reasons. So, limiting to actual changes is probably a good thing.
Well, Richard seemed to "violently" agree with the opposite, so now I
don't know which way to go... Paul, you are the official tie-breaker
here, which do you prefer?
-Steve
> There are valid
> arguments both for and against this choice, but we have to pick one in
> the end... Anyway, I should explain the reasoning in the commit
> message better, right now it just states the fact without explanation
> (in the second patch), thank you for pointing my attention to it.
>
> [1]
https://www.redhat.com/archives/linux-audit/2018-July/msg00061.html
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.