On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar <[email protected]> wrote: > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote: > > This patch adds two auxiliary record types that will be used to annotate > > the adjtimex SYSCALL records with the NTP/timekeeping values that have > > been changed. > > It seems the "adjust" function intentionally logs also calls/modes > that don't actually change anything. Can you please explain it a bit > in the message? > > NTP/PTP daemons typically don't read the adjtimex values in a normal > operation and overwrite them on each update, even if they don't > change. If the audit function checked that oldval != newval, the > number of messages would be reduced and it might be easier to follow.
We actually want to log any attempt to change a value, as even an intention to set/change something could be a hint that the process is trying to do something bad (see discussion at [1]). There are valid arguments both for and against this choice, but we have to pick one in the end... Anyway, I should explain the reasoning in the commit message better, right now it just states the fact without explanation (in the second patch), thank you for pointing my attention to it. [1] https://www.redhat.com/archives/linux-audit/2018-July/msg00061.html -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
