Home Audit Audit System Time Changes on Linux|Centos|RHEL|Ubuntu|Debian

Audit System Time Changes on Linux|Centos|RHEL|Ubuntu|Debian

Read Time: 2 mins

On a Linux system, auditing a few system calls we can easily track who makes system time changes. Refer to the solution section to know about related system calls to Audit System Time Changes on Linux|Centos|RHEL|Ubuntu|Debian system.


Topic

  • How to audit system time changes?
  • Audit time changes on a Linux|Centos|RHEL|Ubuntu|Debian system
  • Track who changed system time
  • Linux audit track system time changes

Solution

Following are the details about related system calls to be added in the audit rule.

  • adjtimex() – The system call adjtimex() reads and sets adjustment parameters to the system clock.
  • settimeofday() – The functions gettimeofday() and settimeofday() can get and set the time as well as a timezone.
  • clock_settime() – The functions clock_gettime() and clock_settime() retrieve and set the time of the specified clock clk_id.

Execute the following commands to track time changes run time without restarting auditd service. 

# auditctl -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k timechange
# auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange

Make the above rules permanent by adding the following lines in /etc/audit/rules.d/audit.rules file. 

#Track system time changes
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k timechange
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange

Restart auditd service and validate configuration. 

# service auditd restart
# auditctl -l
-a always,exit -F arch=b32 -S settimeofday,adjtimex,clock_settime -F key=timechange
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=timechange

Test

Wait for time change event to occur and then execute the following command to check system time change. 

# ausearch -k timechange
time->Sun Feb 17 00:22:16 2019
type=PROCTITLE msg=audit(1568487136.122:204): proctitle=64617465002D730053756E205365702031352030303A32313A3537204953542032303139
type=SYSCALL msg=audit(1568487136.122:204): arch=c000003e syscall=227 success=yes exit=0 a0=0 a1=7ffecae98680 a2=1 a3=7ffecae98060 items=0 ppid=1591 pid=1844 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="date" exe="/usr/bin/date" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="timechange"

The above event notifies that root user executed date command to change system time.


You May Also Like

How to configure PAM to Audit Login Shell User Activity on Linux

Audit or track system hostname change on Linux|Centos|RHEL|Ubuntu|Debian

Audit or Track All Commands on Linux|Centos|RHEL|Ubuntu|Debian

How To Check Who Changes or Modifies File or Directory on Linux|centos|ubuntu|RHEL

Linux Audit Architecture

What is audit daemon or service in Linux

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *