I tried out the rule in lspp.rules that should catch changes in the system time and discovered that it doesn't catch changes made by the date command. date uses the clock_settime syscall instead of adjtimex or settimeofday.
Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
