Bug 1296664

Summary: RFE: audit of adjtimex syscall
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: kernelAssignee: Paul Moore <pmoore>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, rbriggs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-02 19:40:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steve Grubb 2016-01-07 19:14:12 UTC 
Description of problem:
The adjtimex syscall takes a pointer to a structure as its argument. We have to be able to audit when someone or something changes the system clock because that affects correlation of events. Auditing this syscall floods the audit trail with  status requests. How should an admin get events where the time is set rather than the clock being status'ed?
Comment 1 Paul Moore 2016-04-07 01:56:17 UTC 
Upstream issue:

 * https://github.com/linux-audit/audit-kernel/issues/10
Comment 2 Paul Moore 2016-06-02 19:40:39 UTC 
Closing this as we are tracking upstream RFEs on GitHub now:

* https://github.com/linux-audit/audit-kernel/issues/10