4.1.4 Ensure events that modify date and time information are collected - auditctl time-change

Information

Unexpected changes in system date and/or time could be a sign of malicious activity on the system.

Solution

For 32 bit systems add the following lines to the /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

For 64 bit systems add the following lines to the /etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|3.6

Plugin: Unix

Control ID: d9cea63933a40eb720110b9486674b833a3201dc2f7118fc9e45cfe6567ba9f1