On Mon, Jan 9, 2023 at 2:33 AM Burn Alting <burn.alt...@iinet.net.au> wrote: > > All, > > Would it be correct to say that when one sees an adjtimex system call audit > event, a change has occurred ONLY if either a AUDIT_TIME_ADJNTPVAL (algorithm > change) or AUDIT_TIME_INJOFFSET (time change) record is present in the event?
Looking at audit_log_time() and audit_tk_injoffset() it appears that an AUDIT_TIME_INJOFFSET record would indicate a time shift given by the "sec"/"nsec" fields while an AUDIT_TIME_ADJNTPVAL *might* indicate a shift depending on what was adjusted, you probably want to check the adjtimex(2) manpage, specifically the struct timex definition for more information on the AUDIT_TIME_ADJNTPVAL "op" field and "new"/"old" values. * https://man7.org/linux/man-pages/man2/adjtimex.2.html Hopefully that helps a little bit. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
