Title

The DBMS must use system clocks to generate time stamps for use in audit records and application data. (Cat II impact)

Discussion

Internal system clocks are typically a feature of server hardware and are maintained and used by the operating system. They are typically synchronized with an authoritative time server at regular intervals. Without an internal system clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Time stamps generated by the internal system clock and used by the DBMS shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. If time sources other than the system time are used for audit records, the timeline of events can get skewed. This makes forensic analysis of the logs much less reliable.

Check Content

Using product documentation, verify that the DBMS uses current time stamp values obtained from or synchronized with the internal system clock used by the operating system. If it is not able to, this is a finding. If it is able to but is configured so that it does not do so, this is a finding.

Fix Text

Deploy a DBMS that can use time stamp values obtained from or synchronized with the internal system clock used by the operating system. Configure the DBMS to use time stamp values obtained from or synchronized with the internal system clock used by the operating system.

Additional Identifiers

Rule ID: SV-206537r879575_rule

Vulnerability ID: V-206537

Group Title: SRG-APP-000116

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.