[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Capture System Time Changes



Just add following to the audit.rules file. Should record any attempt to set or adjust time from on—privileged user or root.

 

 

-S clock_settime –S settimeofday –S adjtimex

 

 

# Log administrative functions 32bit

-a exit,always -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin

 

 

# Log administrative functions 64bit

-a exit,always -F arch=b64 -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin

 

 

 

 

From: linux-audit-bounces redhat com [mailto:linux-audit-bounces redhat com] On Behalf Of Rye, Gene R.
Sent: Thursday, January 19, 2012 12:37 PM
To: linux-audit redhat com
Subject: EXTERNAL: Capture System Time Changes

 

I am using both the NISPOM and STIG rules for my audit.rules file.  As root, if I perform a system time change, it does not capture this information in either /var/log/secure or var/log/audit/audit.log.  How can I capture when someone changes the time or attempts to change the time?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]