Details
Capture events where the system date and/or time has been modified. The parameters in
this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time,
using timeval and timezone structures) stime (using seconds since 1/1/1970) or
clock_settime (allows for the setting of several internal clocks and timers) system calls
have been executed and always write an audit record to the /var/log/audit.log file upon
exit, tagging the records with the identifier ‘time-change’
*Rationale*
Unexpected changes in system date and/or time could be a sign of malicious activity on the
system.
Solution
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# Execute the following command to restart auditd
# pkill -P 1-HUP auditdFor 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# Execute the following command to restart auditd
# pkill -P 1-HUP auditd
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.