Audit Daemon (auditd) is a Linux tool for tracking and logging system events, including file access, attribute changes, and security-relevant configuration changes. It is part of the Linux Auditing System and can be used to record attempts to modify the system time zone configuration.

This detection records changes to /etc/localtime, which is commonly used by Linux systems to define the local system time zone. A subject may alter the system time zone to disrupt forensic timeline analysis, create apparent timestamp displacement, or complicate the interpretation of local artifacts, authentication records, shell activity, service logs, and application events.

Below is an example auditd rule to detect time zone modification:

sudo nano /etc/audit/rules.d/audit.rules

Opens the auditd rules file with the Nano editor. Add the following line:

-w /etc/localtime -p wa -k timezone-changed

Rule Explanation:

-w /etc/localtime Watches the /etc/localtime file for activity. This file is commonly used to define the local system time zone.
-p wa Specifies the permissions to monitor. w records write activity, and a records attribute changes.
-k timezone-changed Adds a key to the rule for easier identification in the logs.

To review audit logs related to this rule, use ausearch:

ausearch -k timezone-changed

or retrieve matching lines from the raw audit logs with grep:

sudo grep timezone-changed /var/log/audit/audit.log

Investigators should review the audit record fields to identify the subject and execution context, including auid, uid, euid, ses, exe, comm, cwd, name, nametype, and tty. The auid field is particularly important because it may preserve the original authenticated subject even where the effective user is root after privilege elevation.

This detection should be correlated with sudo logs, shell history, endpoint telemetry, authentication records, configuration management logs, and centralized SIEM ingestion time. A time zone modification occurring near file staging, log deletion, privilege escalation, archive creation, removable media activity, or outbound data transfer may indicate anti-forensic intent.

Sections

ID	Name	Description
AF032	System Time Modification	A subject modifies the system date, time, time zone, hardware clock, or time synchronization configuration of a device to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication events, process execution, log generation, scheduled activity, or other forensic artifacts used to reconstruct subject activity. System time modification may be performed before, during, or after an infringement to create ambiguity in the investigative timeline, frustrate correlation between endpoint, identity, network, and application telemetry, or cause investigators to misinterpret the sequence of events. The behavior should be assessed in context with administrative privilege use, time synchronization changes, endpoint telemetry gaps, and inconsistencies between local artifacts and centralized logging sources.
AF032.002	Linux System Time Modification	A subject modifies the Linux system time, time zone, hardware clock, or time synchronization configuration to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication records, shell history, service execution, package activity, scheduled jobs, and other host-based artifacts used to reconstruct subject activity. On Linux systems, this behavior may involve commands or utilities such as `timedatectl`, `date`, `hwclock`, or changes to time synchronization services such as NTP, Chrony, or `systemd-timesyncd`.