I want to deploy auditing focused on some more sophisticated scenarious on my GNU/Linux boxes, for instance execution of commands like touch -m 'faketime' somefile. I straced the exec and found out the difference between normal touch and touch with timestamp modifying flag. These are respectively:
utimes("/proc/self/fd/0", NULL) = 0
utimes("/proc/self/fd/0", {{1364383142, 0}, {1364383160, 875693}}) = 0
So it seems to be easy to catch suspicius occurances of the utimes syscall; its second (a1) argument has to be NULL. I tried to set the following audit rule:
-a exit,always -F arch=b32 -S utimes -F a1!=0 -k TIMESTAMP_TAMPERING
However it doesn't catch the call. Text representation of the value (NULL) is not accepted by auditd in a1-4 arguments, at least I got trouble trying to achieve it. Any suggestions? Thanks in advance.
