Auditing - Date Change Attempts?
I'm new here and am fairly new to linux and even more of a linux security newbie.
I'm trying to set up a system at work with some initial auditing options. I've got Red Hat Linux 9.0 running on a single processor system. I've so far found solutions to almost all my auditing needs, which mostly include the monitoring for attempted access to security relevent files/directories. I'm using snare 0.9.6 for this.
But I'm still missing the auditing for a certain event. I'd like to audit when someone attempts to change the system date via the date program, weather it be successful or unsuccessful. I obviously can't just watch the date program because users are allowed to run it, they just can't feed it a spring to change the date. I don't know of any file that get's touched or checked when the date program is ran in order to change the date. Is there maybe a logging feature in the system I can turn on to track this, or is there maybe a library that is accessed when the date program attempts to change the date that isn't access when it just returns the date? Either enabling a system option or watching a file for attempted access should be easy to implement, I just don't know where to look.