This is an old revision of the document!


A PCRE internal error occured. This might be caused by a faulty plugin

======4.1.4 Ensure events that modify date and time information are collected (Scored)====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the ''adjtimex'' (tune kernel clock), ''settimeofday'' (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or ''clock_settime'' (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the ''/var/log/audit.log'' file upon exit, tagging the records with the identifier "time-change" =====Rationale===== Unexpected changes in system date and/or time could be a sign of malicious activity on the system. =====Audit===== On a 32 bit system run the following command and verify the output matches: <Code:bash> # grep time-change /etc/audit/audit.rules -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change </Code> On a 64 bit system run the following command and verify the output matches: <Code:bash> # grep time-change /etc/audit/audit.rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change </Code> =====Remediation===== For 32 bit systems add the following lines to the /etc/audit/audit.rules file: <Code:bash> -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change </Code> For 64 bit systems add the following lines to the /etc/audit/audit.rules file: <Code:bash> -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change </Code>