LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-26-2004, 08:47 AM   #1
dant98
LQ Newbie
 
Registered: Oct 2004
Distribution: RH Linux 9.0
Posts: 1

Rep: Reputation: 0
Auditing - Date Change Attempts?


Hi Everyone,

I'm new here and am fairly new to linux and even more of a linux security newbie.

I'm trying to set up a system at work with some initial auditing options. I've got Red Hat Linux 9.0 running on a single processor system. I've so far found solutions to almost all my auditing needs, which mostly include the monitoring for attempted access to security relevent files/directories. I'm using snare 0.9.6 for this.

But I'm still missing the auditing for a certain event. I'd like to audit when someone attempts to change the system date via the date program, weather it be successful or unsuccessful. I obviously can't just watch the date program because users are allowed to run it, they just can't feed it a spring to change the date. I don't know of any file that get's touched or checked when the date program is ran in order to change the date. Is there maybe a logging feature in the system I can turn on to track this, or is there maybe a library that is accessed when the date program attempts to change the date that isn't access when it just returns the date? Either enabling a system option or watching a file for attempted access should be easy to implement, I just don't know where to look.


Thanks!

-Dan
 
Old 10-31-2004, 04:27 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
But I'm still missing the auditing for a certain event. I'd like to audit when someone attempts to change the system date via the date program, weather it be successful or unsuccessful.
In any case you'll have to be root to be able to change the time (using "date" is rather crude too)...

If you're watching syscalls, it'll be settimeofday. That's what "date -s" and ntpd use.

If you're out to deny people access to change system time (after you set it properly on boot) use "lcap" to remove the CAP_SYS_TIME capability. Note this will deny root running ntpd, will make a flakey system if the BIOS clock drifts and can not be undone except for a reboot.

Last edited by unSpawn; 10-31-2004 at 04:52 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Change timezone using date davholla Linux - General 16 11-09-2005 02:53 AM
Change Date hansi umayangan Linux - General 2 03-01-2005 12:17 AM
Change Date hansi umayangan General 1 02-28-2005 12:02 AM
Change date mbayeb Linux - General 2 01-31-2003 08:57 AM
Change Date ?? joetec Linux - General 1 01-08-2003 07:50 PM


All times are GMT -5. The time now is 11:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration