From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: lspp.rules and time changes
Date: Tue, 18 Jul 2006 14:18:39 -0400
Message-ID: <44BD25FF.20707@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6IIIPhQ006179
	for <linux-audit@redhat.com>; Tue, 18 Jul 2006 14:18:25 -0400
Received: from emroute4.ornl.gov (emroute4.ornl.gov [160.91.86.27])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6IIIKVO004460
	for <linux-audit@redhat.com>; Tue, 18 Jul 2006 14:18:21 -0400
Received: from emroute4.ornl.gov (localhost [127.0.0.1])
	by emroute4.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2M008112UJ1G@emroute4.ornl.gov> for
	linux-audit@redhat.com; Tue, 18 Jul 2006 14:18:19 -0400 (EDT)
Received: from ORNLEXCHANGE.ornl.gov (ornlexchange1.ornl.gov [160.91.1.20])
	by emroute4.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2M0079F2UH45@emroute4.ornl.gov> for
	linux-audit@redhat.com; Tue, 18 Jul 2006 14:18:19 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I know updating contrib/lspp.rules isn't a priority, but if anyone is 
trying to catch changes to the system time, you may find this useful...

I tried out the rule in lspp.rules that should catch changes in the 
system time and discovered that it doesn't catch changes made by the 
date command.  date uses the clock_settime syscall instead of adjtimex 
or settimeofday.

Steve