4.1.3 Ensure events that modify date and time information are collected - b64 adjtimex

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier 'time-change'

Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.

Rationale:

Unexpected changes in system date and/or time could be a sign of malicious activity on the system.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/time_change.rules
and add the following lines:

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/time_change.rules
and add the following lines:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

See Also

https://workbench.cisecurity.org/files/3288