Audit time change using Wazuh

 Reference

https://documentation.wazuh.com/current/user-manual/capabilities/system-calls-monitoring/audit-configuration.html

Wazuh Agent

#yum install -y auditd

Add the rules below in the /etc/audit/audit.rules 

#vi /etc/audit/audit.rules

-a always,exit -F arch=b64 -S execve -F euid=0 -F key=audit-wazuh-c

-a always,exit -F arch=b32 -S execve -F euid=0 -F key=audit-wazuh-c

#service auditd restart

# date -s 21:00

#cat /var/log/audit/audit.log  | grep "time-change"

type=SYSCALL msg=audit(1733576563.174:2622): arch=c000003e syscall=227 success=yes exit=0 a0=0 a1=7ffd0aff8820 

a2=67544c34 a3=44b82fa09b5a53 items=0 ppid=5531 pid=6299 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 

sgid=0 fsgid=0 tty=pts0 ses=15 comm="date" exe="/usr/bin/date" key="time-change"ARCH=x86_64 SYSCALL=clock_settime 

AUID="user.name" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Demo