A question on monitoring time or time management changes in the kernel and the adjtimex system call
Paul Moore
paul at paul-moore.com
Mon Jan 9 15:51:32 UTC 2023
On Mon, Jan 9, 2023 at 2:33 AM Burn Alting <burn.alting at iinet.net.au> wrote:
>
> All,
>
> Would it be correct to say that when one sees an adjtimex system call audit event, a change has occurred ONLY if either a AUDIT_TIME_ADJNTPVAL (algorithm change) or AUDIT_TIME_INJOFFSET (time change) record is present in the event?
Looking at audit_log_time() and audit_tk_injoffset() it appears that
an AUDIT_TIME_INJOFFSET record would indicate a time shift given by
the "sec"/"nsec" fields while an AUDIT_TIME_ADJNTPVAL *might* indicate
a shift depending on what was adjusted, you probably want to check the
adjtimex(2) manpage, specifically the struct timex definition for more
information on the AUDIT_TIME_ADJNTPVAL "op" field and "new"/"old"
values.
* https://man7.org/linux/man-pages/man2/adjtimex.2.html
Hopefully that helps a little bit.
--
paul-moore.com
More information about the Linux-audit
mailing list