Hello, On Monday, January 9, 2023 2:33:39 AM EST Burn Alting wrote: > Would it be correct to say that when one sees an adjtimex system call audit > event, a change has occurred ONLY if either a AUDIT_TIME_ADJNTPVAL > (algorithm change) or AUDIT_TIME_INJOFFSET (time change) record is present > in the event?
I think if you see either, time has been changed. I haven't studied the syscall to see if there isn't a sneak path, but I think they can be relied on. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
