On Wed, Apr 10, 2019 at 5:14 AM Ondrej Mosnacek <omosn...@redhat.com> wrote: > > Emit an audit record every time selected NTP parameters are modified > from userspace (via adjtimex(2) or clock_adjtime(2)). These parameters > may be used to indirectly change system clock, and thus their > modifications should be audited. > > Such events will now generate records of type AUDIT_TIME_ADJNTPVAL > containing the following fields: > - op -- which value was adjusted: > - offset -- corresponding to the time_offset variable > - freq -- corresponding to the time_freq variable > - status -- corresponding to the time_status variable > - adjust -- corresponding to the time_adjust variable > - tick -- corresponding to the tick_usec variable > - tai -- corresponding to the timekeeping's TAI offset > - old -- the old value > - new -- the new value > > Example records: > > type=TIME_ADJNTPVAL msg=audit(1530616044.507:7): op=status old=64 new=8256 > type=TIME_ADJNTPVAL msg=audit(1530616044.511:11): op=freq old=0 > new=49180377088000 > > The records of this type will be associated with the corresponding > syscall records. > > An overview of parameter changes that can be done via do_adjtimex() > (based on information from Miroslav Lichvar) and whether they are > audited: > __timekeeping_set_tai_offset() -- sets the offset from the > International Atomic Time > (AUDITED) > NTP variables: > time_offset -- can adjust the clock by up to 0.5 seconds per call > and also speed it up or slow down by up to about > 0.05% (43 seconds per day) (AUDITED) > time_freq -- can speed up or slow down by up to about 0.05% > (AUDITED) > time_status -- can insert/delete leap seconds and it also enables/ > disables synchronization of the hardware real-time > clock (AUDITED) > time_maxerror, time_esterror -- change error estimates used to > inform userspace applications > (NOT AUDITED) > time_constant -- controls the speed of the clock adjustments that > are made when time_offset is set (NOT AUDITED) > time_adjust -- can temporarily speed up or slow down the clock by up > to 0.05% (AUDITED) > tick_usec -- a more extreme version of time_freq; can speed up or > slow down the clock by up to 10% (AUDITED) > > Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com> > Reviewed-by: Richard Guy Briggs <r...@redhat.com> > Reviewed-by: Thomas Gleixner <t...@linutronix.de> > --- > include/linux/audit.h | 61 ++++++++++++++++++++++++++++++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/auditsc.c | 22 ++++++++++++++ > kernel/time/ntp.c | 22 ++++++++++++-- > kernel/time/ntp_internal.h | 4 ++- > kernel/time/timekeeping.c | 7 ++++- > 6 files changed, 112 insertions(+), 5 deletions(-)
Merged into audit/next, thanks. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
