Falco doesn't update/sync with system time after start

[illethrias]

Describe the bug
When the system time is changed - e.g. sync with HW clock Falco is using old time. This can cause discrepancies in matching different logs together and establishing proper timeline.

How to reproduce it

• add evt.datetime to rules to see full datetime
• stop timesync sudo systemctl start systemd-timesyncd
• set arbitrary date/time: sudo timedatectl set-time '2024-07-22 10:00:00'
• trigger some Falco alert e.g. sudo cat /etc/shadow
• evt.datetime is still showing current date and time not aligning to the system one

Expected behaviour
Falco should sync time to the system-time during it lifetime in case of time drift to provide correct information to the user.

Screenshots

Environment

• Falco version: 0.38.1
• System info:
  "machine": "x86_64",
  "release": "6.5.0-44-generic",
  "sysname": "Linux",
  "version": "# 44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2"
• Cloud provider or hardware configuration: ntb dell, i7-10850H, 32GB
• OS: Ubuntu 22.04.4 LTS
• Kernel: 6.5.0-44-generic
• Installation method: DEB

Additional context

This issue was first discovered on Hetzner VM where time desynchronization was detected - "temporary" fixed by /sbin/hwclock --hctosys in crontab. This is keeping time correct on system but Falco is using more and more out of sync time. I was able to reproduce it on laptop as well (thus the env info ^^).

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale