aquasecurity · yanivagman · Jul 28, 2024 · Jul 25, 2024
diff --git a/docs/docs/events/builtin/extra/security_settime64.md b/docs/docs/events/builtin/extra/security_settime64.md
@@ -0,0 +1,31 @@
+# security_settime64
+
+## Intro
+security_settime64 - set the system time
+
+## Description
+The event indicates a request to set the time
+The event is triggered by the permissions check for the operation, as LSM hook.
+
+## Arguments
+* `tv_sec`:u64`[K] - the time in seconds.
+* `tv_nsec`:`u64`[K] - the time in nanoseconds.
+* `tz_minuteswest`:`int`[K] - minutes west of Greenwich
+* `tz_dsttime`:`int`[K] - type of dst correction
+
+## Hooks
+### security_settime64
+#### Type
+kprobe
+#### Purpose
+The LSM hook of setting the system time. This hook triggers the event. 
+
+## Example Use Case
+
+```console
+./tracee -e security_settime64
+```
+
+## Issues
+
+## Related Events
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -109,6 +109,7 @@ nav:
                             - security_socket_bind: docs/events/builtin/extra/security_socket_bind.md
                             - security_socket_connect: docs/events/builtin/extra/security_socket_connect.md
                             - security_socket_setsockopt: docs/events/builtin/extra/security_socket_setsockopt.md
+                            - security_settime64: docs/docs/events/builtin/extra/security_settime64.md
                             - symbols_collision: docs/events/builtin/extra/symbols_collision.md
                             - symbols_loaded: docs/events/builtin/extra/symbols_loaded.md
                             - vfs_read: docs/events/builtin/extra/vfs_read.md

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -5132,6 +5132,33 @@ int BPF_KPROBE(trace_security_task_setrlimit)
     return events_perf_submit(&p, 0);
 }
 
+SEC("kprobe/security_settime64")
+int BPF_KPROBE(trace_security_settime64)
+{
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, SECURITY_SETTIME64))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    const struct timespec64 *ts = (const struct timespec64 *) PT_REGS_PARM1(ctx);
+    const struct timezone *tz = (const struct timezone *) PT_REGS_PARM2(ctx);
+
+    u64 tv_sec = BPF_CORE_READ(ts, tv_sec);
+    u64 tv_nsec = BPF_CORE_READ(ts, tv_nsec);
+
+    int tz_minuteswest = BPF_CORE_READ(tz, tz_minuteswest);
+    int tz_dsttime = BPF_CORE_READ(tz, tz_dsttime);
+
+    save_to_submit_buf(&p.event->args_buf, &tv_sec, sizeof(u64), 0);
+    save_to_submit_buf(&p.event->args_buf, &tv_nsec, sizeof(u64), 1);
+    save_to_submit_buf(&p.event->args_buf, &tz_minuteswest, sizeof(int), 2);
+    save_to_submit_buf(&p.event->args_buf, &tz_dsttime, sizeof(int), 3);
+
+    return events_perf_submit(&p, 0);
+}
+
 // clang-format off
 
 // Network Packets (works from ~5.2 and beyond)

diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h
@@ -130,6 +130,7 @@ enum event_id_e
     EXECUTE_FINISHED,
     SECURITY_BPRM_CREDS_FOR_EXEC,
     SECURITY_TASK_SETRLIMIT,
+    SECURITY_SETTIME64,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
 

diff --git a/pkg/ebpf/c/vmlinux.h b/pkg/ebpf/c/vmlinux.h
@@ -615,6 +615,11 @@ struct timespec64 {
     long int tv_nsec;
 };
 
+struct timezone {
+    int tz_minuteswest;
+    int tz_dsttime;
+};
+
 typedef long long __kernel_time64_t;
 
 struct __kernel_timespec {

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -223,6 +223,7 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		ExecuteFinishedCompatARM:   NewTraceProbe(KretProbe, "__arm64_compat_sys_execve", "trace_execute_finished"),
 		ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
 		SecurityTaskSetrlimit:      NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),
+		SecuritySettime64:          NewTraceProbe(KProbe, "security_settime64", "trace_security_settime64"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),

diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -149,6 +149,7 @@ const (
 	ExecuteFinishedCompatARM
 	ExecuteAtFinishedCompatARM
 	SecurityTaskSetrlimit
+	SecuritySettime64
 )
 
 // Test probe handles

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -112,6 +112,7 @@ const (
 	ExecuteFinished
 	SecurityBprmCredsForExec
 	SecurityTaskSetrlimit
+	SecuritySettime64
 	MaxCommonID
 )
 
@@ -13086,6 +13087,23 @@ var CoreEvents = map[ID]Definition{
 			{Type: "u64", Name: "new_rlim_max"},
 		},
 	},
+	SecuritySettime64: {
+		id:      SecuritySettime64,
+		id32Bit: Sys32Undefined,
+		name:    "security_settime64",
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.SecuritySettime64, required: true},
+			},
+		},
+		sets: []string{"lsm"},
+		params: []trace.ArgMeta{
+			{Type: "u64", Name: "tv_sec"},
+			{Type: "u64", Name: "tv_nsec"},
+			{Type: "int", Name: "tz_minuteswest"},
+			{Type: "int", Name: "tz_dsttime"},
+		},
+	},
 	//
 	// Begin of Signal Events (Control Plane)
 	//