Skip to content

4.1.3.4 Ensure events that modify date and time information are collected

Audit#

64 Bit systems

On disk configuration

Run the following command to check the on disk rules: 

# {
awk '/^ *-a *always,exit/ \
&&/ -F *arch=b[2346]{2}/ \
&&/ -S/ \
&&(/adjtimex/ \
 ||/settimeofday/ \
 ||/clock_settime/ ) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
awk '/^ *-w/ \
&&/\/etc\/localtime/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
}

Verify output of matches: 

-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k timechange
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k timechange
-w /etc/localtime -p wa -k time-change

Running configuration

Run the following command to check loaded rules: 

# {
auditctl -l | awk '/^ *-a *always,exit/ \
&&/ -F *arch=b[2346]{2}/ \
&&/ -S/ \
&&(/adjtimex/ \
 ||/settimeofday/ \
 ||/clock_settime/ ) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'
auditctl -l | awk '/^ *-w/ \
&&/\/etc\/localtime/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'
}

Verify the output includes: 

-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change

32 Bit systems

Follow the same procedures as for 64 bit systems and ignore any entries with b64.

In addition, also audit for the stime system call rule. For example: 

-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change

Remediation#

Create audit rules

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information.

64 Bit systems

Example: 

# printf "
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k timechange
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k timechange
-w /etc/localtime -p wa -k time-change
" >> /etc/audit/rules.d/50-time-change.rules

Load audit rules

Merge and load the rules into active configuration: 

# augenrules --load

Check if reboot is required. 

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi

32 Bit systems

Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: 

-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change