From e789b0817f393a18d1d34b0882ce7a2cc4bfbb9d Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 16 Nov 2022 15:59:49 +0100
Subject: [PATCH] ntp+cmdmon: log allow/deny commands

Log added NTP and command access restrictions, using INFO severity if
from a chronyc command, DEBUG otherwise (i.e. from the config).
---
 cmdmon.c   | 3 +++
 ntp_core.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/cmdmon.c b/cmdmon.c
index 89ce191..2eb2384 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -1799,6 +1799,9 @@ CAM_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all)
   if (status == ADF_BADSUBNET) {
     return 0;
   } else if (status == ADF_SUCCESS) {
+    LOG(LOG_GetContextSeverity(LOGC_Command), "%s%s %s access from %s",
+        allow ? "Allowed" : "Denied", all ? " all" : "", "command",
+        UTI_IPSubnetToString(ip_addr, subnet_bits));
     return 1;
   } else {
     return 0;
diff --git a/ntp_core.c b/ntp_core.c
index 63c5a3a..1d39ded 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -2856,6 +2856,10 @@ NCR_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all)
   if (status != ADF_SUCCESS)
     return 0;
 
+  LOG(LOG_GetContextSeverity(LOGC_Command), "%s%s %s access from %s",
+      allow ? "Allowed" : "Denied", all ? " all" : "", "NTP",
+      UTI_IPSubnetToString(ip_addr, subnet_bits));
+
   /* Keep server sockets open only when an address allowed */
   if (allow) {
     NTP_Remote_Address remote_addr;