Capture System Time Changes

Capture System Time Changes

[Rye, Gene R.]

[-- Attachment #1.1: Type: text/plain, Size: 291 bytes --]

I am using both the NISPOM and STIG rules for my audit.rules file.  As
root, if I perform a system time change, it does not capture this
information in either /var/log/secure or var/log/audit/audit.log.  How
can I capture when someone changes the time or attempts to change the
time?


[-- Attachment #1.2: Type: text/html, Size: 1793 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: Capture System Time Changes

[Strauch, Billy]

[-- Attachment #1.1: Type: text/plain, Size: 1052 bytes --]

Just add following to the audit.rules file. Should record any attempt to set or adjust time from on-privileged user or root.


-S clock_settime -S settimeofday -S adjtimex


# Log administrative functions 32bit
-a exit,always -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin


# Log administrative functions 64bit
-a exit,always -F arch=b64 -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin




From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Rye, Gene R.
Sent: Thursday, January 19, 2012 12:37 PM
To: linux-audit@redhat.com
Subject: EXTERNAL: Capture System Time Changes

I am using both the NISPOM and STIG rules for my audit.rules file.  As root, if I perform a system time change, it does not capture this information in either /var/log/secure or var/log/audit/audit.log.  How can I capture when someone changes the time or attempts to change the time?

[-- Attachment #1.2: Type: text/html, Size: 5327 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]