It is sometimes very important to ensure that the time is accurate especially in Bank environments etc. A wrong time in the system due to human error or bad operation may even cause blunders sometimes. To avoid such situations you can use the auditd service to record all events that trigger changes to the system time.
Auditing can provide accountability by tracing the actions of a user or process. It can state what commands were executed, what files were opened, and when the actions occurred.
Check the status of auditd service
auditd events are recorded to an associated log file found at /var/log/audit and as it runs in the background, you can check the current service status with:
# systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2018-06-13 15:16:04 UTC; 3min 14s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 651 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 652 (auditd) Tasks: 2 CGroup: /system.slice/auditd.service └─652 /sbin/auditd
If the service is not running, you can start it with below command.
# systemctl start auditd
Auditing system time changes
Let add a suditd rule to monitor any time changes. We will be using system calls “adjtimex” and “
# vi /etc/audit/rules.d/audit.rules -a exit,always -S adjtimex -S settimeofday -k time_change
exit,always – are rule actions.
time_change – Name of the key for the audit rule.
adjtimex, settimeofday – system calls related to time change.
You can verify the functioning of audit rule by changing the time.
# date Wed Jun 13 16:09:37 UTC 2018
# date -s "20160418" Mon Apr 18 00:00:00 UTC 2016
We can search through the audit logfile with the key defined with the rule (“time_change”). The command used to search through log files is “ausearch”.
# ausearch -k time_change ---- time->Fri Apr 18 00:01:43 2014 type=CONFIG_CHANGE msg=audit(1397779303.375:276): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="time_change" list=4 res=1