An error occurred:

Check: RHEL-06-000169

Red Hat Enterprise Linux 6 STIG: RHEL-06-000169 (in versions v2 r2 through v1 r23)

Title

The audit system must be configured to audit all attempts to alter system time through stime. (Cat III impact)

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Check Content

If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: $ sudo grep -w "stime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S stime -k audit_time_rules If the system is not configured to audit the "stime" syscall, this is a finding.

Fix Text

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules

Additional Identifiers

Rule ID: SV-217953r603264_rule

Vulnerability ID: V-217953

Group Title: SRG-OS-000062

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000169

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12

Audit Generation