Just add following to the audit.rules file. Should record any attempt to set or adjust time from on-privileged user or root. -S clock_settime -S settimeofday -S adjtimex # Log administrative functions 32bit -a exit,always -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin # Log administrative functions 64bit -a exit,always -F arch=b64 -S reboot -S clock_settime -S settimeofday -S adjtimex -S setdomainname -S sethostname -S reboot -S mount -S umount2 -k admin From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Rye, Gene R. Sent: Thursday, January 19, 2012 12:37 PM To: linux-audit(a)redhat.com Subject: EXTERNAL: Capture System Time Changes I am using both the NISPOM and STIG rules for my audit.rules file. As root, if I perform a system time change, it does not capture this information in either /var/log/secure or var/log/audit/audit.log. How can I capture when someone changes the time or attempts to change the time?