Bug 1296664 - RFE: audit of adjtimex syscall
Summary: RFE: audit of adjtimex syscall
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Paul Moore
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-07 19:14 UTC by Steve Grubb
Modified: 2016-06-02 19:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-02 19:40:39 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Steve Grubb 2016-01-07 19:14:12 UTC 
Description of problem:
The adjtimex syscall takes a pointer to a structure as its argument. We have to be able to audit when someone or something changes the system clock because that affects correlation of events. Auditing this syscall floods the audit trail with  status requests. How should an admin get events where the time is set rather than the clock being status'ed?
Comment 1 Paul Moore 2016-04-07 01:56:17 UTC 
Upstream issue:

 * https://github.com/linux-audit/audit-kernel/issues/10
Comment 2 Paul Moore 2016-06-02 19:40:39 UTC 
Closing this as we are tracking upstream RFEs on GitHub now:

* https://github.com/linux-audit/audit-kernel/issues/10
Note You need to log in before you can comment on or make changes to this bug.