Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:4 [2017/05/04 15:56] (current)
Line 1: Line 1:
 +======4.1.4 Ensure events that modify date and time information are collected (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
 +
 +=====Description=====
 +Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the ''​adjtimex''​ (tune kernel clock), ''​settimeofday''​ (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or ''​clock_settime''​ (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the ''/​var/​log/​audit.log''​ file upon exit, tagging the records with the identifier "​time-change"​
 +
 +=====Rationale=====
 +Unexpected changes in system date and/or time could be a sign of malicious activity on the system.
 +
 +=====Audit===== ​
 +On a 32 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep time-change /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change ​
 +-a always,exit -F arch=b32 -S clock_settime -k time-change ​
 +-w /​etc/​localtime -p wa -k time-change
 +</​Code>​
 +On a 64 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep time-change /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change ​
 +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change ​
 +-a always,exit -F arch=b64 -S clock_settime -k time-change ​
 +-a always,exit -F arch=b32 -S clock_settime -k time-change ​
 +-w /​etc/​localtime -p wa -k time-change
 +</​Code>​
 +=====Remediation===== ​
 +For 32 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change ​
 +-a always,exit -F arch=b32 -S clock_settime -k time-change ​
 +-w /​etc/​localtime -p wa -k time-change
 +</​Code>​
 +For 64 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change ​
 +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change ​
 +-a always,exit -F arch=b64 -S clock_settime -k time-change ​
 +-a always,exit -F arch=b32 -S clock_settime -k time-change ​
 +-w /​etc/​localtime -p wa -k time-change
 +</​Code>​