I was trying to get my system to pass a System Readiness Review (SRR) from disa.mil and it would appear that stime(2) is not audited under x86_64, either in v1.0.15 or v1.2.1 of auditd. I've looked at the source code and stime(2) only seems to be audited on i386, ppc, and s390. stime(2) is in my libc (nm /lib/libc.so.6 | grep stime).

Is this on purpose or is there something deeper? The full line of what DISA expected me to configure is

-a exit,always -S stime -S acct -S reboot -S swapon

A careful observer will note that the CAPP suggested configuration already captures adjtimex and settimeofday. I just want to pass my test, but is there overlap here that I should push back on?

Thanks,

Charlie Todd
Ball Aerospace & Technologies Corp.


This message and any enclosures are intended only for the addressee.  Please  
notify the sender by email if you are not the intended recipient.  If you are  
not the intended recipient, you may not use, copy, disclose, or distribute this  
message or its contents or enclosures to any other person and any such actions  
may be unlawful.  Ball reserves the right to monitor and review all messages  
and enclosures sent to or from this email address.