Detections
- ID: DT030
- Created: 31st May 2024
- Updated: 07th September 2024
- Platform: Linux
- Contributor: The ITM Team
auditd Timestamp Modification Rule
Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.
Below is an example auditd rule to detect timestamp modification:
sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:
-a always,exit -F arch=b64 -S utimensat -F key=timestamp-changed
-a Add a rule to the audit system
always,exit Apply this rule to both the entry and exit points of the system call. It means that audit records will be generated both when the system call starts and when it ends
-F arch=b64 Filter condition. Specifies that this rule applies to 64-bit architecture (this can be replaced with -F arch=b32)
-S utimensat Specifies the utimensat system call to be audited
-F key=timestamp-changed Adds a key to the rule for easier identification in the logs
To review audit logs related to this rule, we can use ausearch (ausearch -k timestamp-changed) or read and retrieve lines from the raw audit logs with grep (sudo grep timestamp-changed /var/log/audit/audit.log).
Sections
| ID | Name | Description |
|---|---|---|
| AF003 | Timestomping | A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.
nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.
Linux has the built-in command
The argument |