V8.04.002.2025.08.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/9996_auditd.chroot

@@ -53,10 +53,15 @@ cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## is a first match wins system. Uncomment the rules you want.
 
 ## Cron jobs fill the logs with stuff we normally don't want
--a never,user -F subj_type=crond_t
+-a never,user
 
 ## This prevents chrony from overwhelming the logs
--a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +80,8 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
--a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony -F subj_type=chronyd_t
--a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules