Link to home
Start Free TrialLog in
Avatar of mapage21

asked on

CentOS 5.4 auditing

I am currently using CentOS 5.4 I have configured my audit.rules file using most of the NSA rules.

I thought the following entry would monitor time changes:
-a entry,always -F arch=b32 -S adjtimex -S clock_settime -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change

To test this I log out as root and log in as a general user no privileges.  Attempt to change time from the terminal using date 01010101

The system states that I do not have permission to change system, good.

I attempt to change time at the GUI by right clicking on the time at the upper right corner, and it asks for roots password.  Good.

But it appears that it is not being logged, can anyone help me with this?
Avatar of unSpawn
Flag of Sweden image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mapage21



I will try using the comments that you have provided.   I can't tell you how happy I was that someone was able to explain what I was seeing.  You can go as deep in the weeds as you like, I will catch up.  I did keep seeing the messages you provided, but could not explain them.  I let you know in a couple of days.

Thank you unSpawn, I was able to test this today and it worked like a champ.
Good to hear it helped!