Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT156
  • Created: 04th May 2026
  • Updated: 04th May 2026
  • Platform: Linux
  • Contributor: The ITM Team

auditd System Clock Modification Rule

Audit Daemon (auditd) is a Linux tool for tracking and logging system events, including security-relevant system calls. It is part of the Linux Auditing System and can be used to record attempts to modify the system clock.

 

This detection records time-changing system calls that may be used by a subject to alter local system time and disrupt forensic timeline analysis. These calls may be invoked directly or through administrative utilities such as date, timedatectl, hwclock, Chrony, NTP tooling, or custom scripts.

 

Below is an example auditd rule to detect system clock modification:

 

sudo nano /etc/audit/rules.d/audit.rules

Opens the auditd rules file with the Nano editor. Add the following lines:

 

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k system-time-changed

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k system-time-changed

 

Rule Explanation:

 

  • -a Add a rule to the audit system.
  • always,exit Apply this rule when the system call exits. Audit records will be generated when the configured system calls complete.
  • -F arch=b64 Filter condition. Specifies that this rule applies to 64-bit architecture.
  • -F arch=b32 Filter condition. Specifies that this rule applies to 32-bit architecture. This should be included where 32-bit compatibility is enabled or required.
  • -S adjtimex Specifies the adjtimex system call to be audited. This call can adjust kernel clock parameters.
  • -S settimeofday Specifies the settimeofday system call to be audited. This call can set the system time.
  • -S clock_settime Specifies the clock_settime system call to be audited. This call can set the time for a specified clock.
  • -k system-time-changed Adds a key to the rule for easier identification in the logs.

 

To review audit logs related to this rule, use ausearch:

ausearch -k system-time-changed

or retrieve matching lines from the raw audit logs with grep:

sudo grep system-time-changed /var/log/audit/audit.log

 

Investigators should review the audit record fields to identify the subject and execution context, including auid, uid, euid, ses, exe, comm, cwd, and tty. The auid field is particularly important because it may preserve the original authenticated subject even where the effective user is root after privilege elevation.

 

This detection should be correlated with sudo logs, shell history, endpoint telemetry, authentication records, and centralized SIEM ingestion time. A system clock modification occurring near file staging, log deletion, privilege escalation, archive creation, removable media activity, or outbound data transfer may indicate anti-forensic intent.

Sections

ID Name Description
AF032System Time Modification

A subject modifies the system date, time, time zone, hardware clock, or time synchronization configuration of a device to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication events, process execution, log generation, scheduled activity, or other forensic artifacts used to reconstruct subject activity.

 

System time modification may be performed before, during, or after an infringement to create ambiguity in the investigative timeline, frustrate correlation between endpoint, identity, network, and application telemetry, or cause investigators to misinterpret the sequence of events. The behavior should be assessed in context with administrative privilege use, time synchronization changes, endpoint telemetry gaps, and inconsistencies between local artifacts and centralized logging sources.

AF032.002Linux System Time Modification

A subject modifies the Linux system time, time zone, hardware clock, or time synchronization configuration to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication records, shell history, service execution, package activity, scheduled jobs, and other host-based artifacts used to reconstruct subject activity.

 

On Linux systems, this behavior may involve commands or utilities such as timedatectl, date, hwclock, or changes to time synchronization services such as NTP, Chrony, or systemd-timesyncd.