How to audit system time changes?

It’s critical to keep track of the system’s time. System time changes can be caused by a faulty program, hypervisor time injection, or a bad operation. The auditd service can be used to keep track of all events that cause the system time to change.

• Check to see if the auditd service is up and running.

# systemctl status audits
or
# service auditd status

• Add a new rule to monitor system time changes (adjtimex, clock settime, and settimeofday are system calls).

# auditctl -a exit,always -F arch=b64 -S clock_settime -S adjtimex -S settimeofday -k adjtime
# auditctl -a exit,always -F arch=b32 -S clock_settime -S adjtimex -S settimeofday -k adjtime

• This audit rule has a filter key named “adjtime” in this example.
• Change the system time to test the audit rule, then search the audit log for the defined key.

# hwclock --hctosys
# ausearch -k adjtime

• The sample output is given below.

time->Fri Aug 18 12:37:33 2021
type=SYSCALL msg=audit(1200753453.330:86): arch=40000003 syscall=79 success=yes exit=0 a0=bffeb53c a1=bffeb534 a2=0 a3=0 items=0 ppid=2133 pid=3177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="hwclock" exe="/ sbin/hwclock" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="adjtime"