4.1.4 Ensure events that modify date and time information are collected - adjtimex

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Unexpected changes in system date and/or time could be a sign of malicious activity on the system.

Solution

For 32 bit systems add the following lines to the /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
For 64 bit systems add the following lines to the /etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

See Also

https://workbench.cisecurity.org/files/1859

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|3.6

Plugin: Unix

Control ID: 75b5a357c0d8cba3d879a2894cb180b53aa1848a8f757181fc05ea49531dc1a4