WBLC-02-000093 - Oracle WebLogic must use internal system clocks to generate time stamps for audit records.

Information

Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the application server.

If an event has been triggered on the network, and the application server is not configured with the correct time, the event may be seen as insignificant, when in reality the events are related and may have a larger impact across the network. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. Determining the correct time a particular event occurred on a system, via time stamps, is critical when conducting forensic analysis and investigating system events.
Application servers must utilize the internal system clock when generating time stamps and audit records.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Access EM
2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration'
3. Beneath 'Audit Service' section, click 'Configure' button
4. Set the 'Timezone Settings' radio button to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine
5. The time stamp will be recorded according to the operating system's set time
6. Click 'Apply' and restart the servers in the WebLogic domain

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V1R6_STIG.zip

Item Details

References: CAT|III, CCI|CCI-000159, Rule-ID|SV-235954r628640_rule, STIG-ID|WBLC-02-000093, STIG-Legacy|SV-70511, STIG-Legacy|V-56257, Vuln-ID|V-235954

Plugin: Windows

Control ID: b6d19fc2ebb7378edeb677e9520d305c5bcb4b3e85acff5368e4869013489e58