How to monitor time changes using auditd in CentOS/RHEL?

Auditing can provide accountability by tracing the actions of a user or process. It can state what commands were executed, what files were opened, and when the actions occurred.

 

Check the status of auditd service

 

auditd events are recorded to an associated log file found at /var/log/audit and as it runs in the background, you can check the current service status with:

 

# systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-06-13 15:16:04 UTC; 3min 14s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 651 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 652 (auditd)
    Tasks: 2
   CGroup: /system.slice/auditd.service
           └─652 /sbin/auditd

 

If the service is not running, you can start it with below command.

# systemctl start auditd

 

Auditing system time changes

 

Let add a suditd rule to monitor any time changes. We will be using system calls “adjtimex” and “settimeofday” to set the auditd rule. Go ahead and add the below rule in the file /etc/audit/rules.d/audit.rules.

 

# vi /etc/audit/rules.d/audit.rules
-a exit,always -S adjtimex -S settimeofday -k time_change

 

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

 

Here,

exit,always – are rule actions.

time_change – Name of the key for the audit rule.

adjtimex, settimeofday – system calls related to time change.

 

Verify

 

You can verify the functioning of audit rule by changing the time.

Before:

# date
Wed Jun 13 16:09:37 UTC 2018

 

After:

# date -s "20160418"
Mon Apr 18 00:00:00 UTC 2016

 

We can search through the audit logfile with the key defined with the rule (“time_change”). The command used to search through log files is “ausearch”.

 

# ausearch -k time_change
----
time->Fri Apr 18 00:01:43 2014
type=CONFIG_CHANGE msg=audit(1397779303.375:276): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="time_change" list=4 res=1

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)