If the date and/or time is set on a system with the date(1) command, this is also recorded in /etc/utmp and /var/adm/wtmp. Two utmp records are always logged in this case. The first utmp entry uses type 3 (OLD_TIME) and the second entry uses type 4 (NEW_TIME).
To demonstrate, let’s change the time on a test system:
# date Thu Jan 13 15:59:29 CET 2022 # date 01131558 Thu Jan 13 15:58:53 CET 2022 #
The entries generated are:
# /usr/sbin/acct/fwtmp </etc/utmp |grep time old time 3 0 0000 0000 1642085993 Thu Jan 13 15:59:53 2022 new time 4 0 0000 0000 1642085933 Thu Jan 13 15:58:53 2022 #
The time was changed at 15:59:53 (type 3 entry “old time“) and was set to the new time 15:58:53 (type 4 entry “new time“).
This can also be displayed with the who(1) command and the ‘-t‘ option:
# who -t . old time Jan 13 15:59 . new time Jan 13 15:58 #
If the time is changed again, the type 3 and 4 entries in /etc/utmp are reused. However, in /var/adm/wtmp additional entries are added.