Auditing can provide accountability by tracing the actions of a user or process. It can state what commands were executed, what files were opened, and when the actions occurred.


Check the status of auditd service


auditd events are recorded to an associated log file found at /var/log/audit and as it runs in the background, you can check the current service status with:


# systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-06-13 15:16:04 UTC; 3min 14s ago
     Docs: man:auditd(8)
  Process: 656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 651 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 652 (auditd)
    Tasks: 2
   CGroup: /system.slice/auditd.service
           └─652 /sbin/auditd


If the service is not running, you can start it with below command.

# systemctl start auditd


Auditing system time changes


Let add a suditd rule to monitor any time changes. We will be using system calls “adjtimex” and “settimeofday” to set the auditd rule. Go ahead and add the below rule in the file /etc/audit/rules.d/audit.rules.


# vi /etc/audit/rules.d/audit.rules
-a exit,always -S adjtimex -S settimeofday -k time_change


On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.



exit,always – are rule actions.

time_change – Name of the key for the audit rule.

adjtimex, settimeofday – system calls related to time change.




You can verify the functioning of audit rule by changing the time.


# date
Wed Jun 13 16:09:37 UTC 2018



# date -s "20160418"
Mon Apr 18 00:00:00 UTC 2016


We can search through the audit logfile with the key defined with the rule (“time_change”). The command used to search through log files is “ausearch”.


# ausearch -k time_change
time->Fri Apr 18 00:01:43 2014
type=CONFIG_CHANGE msg=audit(1397779303.375:276): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="time_change" list=4 res=1


Was this answer helpful? 0 Users Found This Useful (0 Votes)