4.1.3.4 Ensure events that modify date and time information are collected

Information

Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the;

- adjtimex - tune kernel clock
- settimeofday - set time using timeval and timezone structures
- stime - using seconds since 1/1/1970
- clock_settime - allows for the setting of several internal clocks and timers

system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".

Unexpected changes in system date and/or time could be a sign of malicious activity on the system.

Solution

Create audit rules

Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor events that modify date and time information.

64 Bit systems

Example:

# printf "
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
" >> /etc/audit/rules.d/50-time-change.rules

Load audit rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules
"; fi

32 Bit systems

Follow the same procedures as for 64 bit systems and ignore any entries with b64 In addition, add stime to the system call audit. Example:

-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change

See Also

https://workbench.cisecurity.org/files/4239