Re: A question on monitoring time or time management changes in the kernel and the adjtimex system call

Monday, 9 January 2023

On Mon, Jan 9, 2023 at 2:33 AM Burn Alting <burn.alting(a)iinet.net.au&gt; wrote:
...

 All,

 Would it be correct to say that when one sees an adjtimex system call audit event, a
change has occurred ONLY if either a AUDIT_TIME_ADJNTPVAL (algorithm change) or
AUDIT_TIME_INJOFFSET (time change) record is present in the event? 
Looking at audit_log_time() and audit_tk_injoffset() it appears that
an AUDIT_TIME_INJOFFSET record would indicate a time shift given by
the "sec"/"nsec" fields while an AUDIT_TIME_ADJNTPVAL *might*
indicate
a shift depending on what was adjusted, you probably want to check the
adjtimex(2) manpage, specifically the struct timex definition for more
information on the AUDIT_TIME_ADJNTPVAL "op" field and
"new"/"old"
values.

* https://man7.org/linux/man-pages/man2/adjtimex.2.html

Hopefully that helps a little bit.

--
paul-moore.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: A question on monitoring time or time management changes in the kernel and the adjtimex system call