Just add following to the audit.rules file. Should record any attempt to set or adjust time from on-privileged user or root.
-S clock_settime -S settimeofday -S adjtimex # Log administrative functions 32bit -a exit,always -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin # Log administrative functions 64bit -a exit,always -F arch=b64 -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin From: [email protected] [mailto:[email protected]] On Behalf Of Rye, Gene R. Sent: Thursday, January 19, 2012 12:37 PM To: [email protected] Subject: EXTERNAL: Capture System Time Changes I am using both the NISPOM and STIG rules for my audit.rules file. As root, if I perform a system time change, it does not capture this information in either /var/log/secure or var/log/audit/audit.log. How can I capture when someone changes the time or attempts to change the time?
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
