Title

The audit system must be configured to audit all attempts to alter system time through adjtimex. (Cat III impact)

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Check Content

To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: $ sudo grep -w "adjtimex" /etc/audit/audit.rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "adjtimex" syscall, this is a finding.

Fix Text

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

Additional Identifiers

Rule ID: SV-217951r603264_rule

Vulnerability ID: V-217951

Group Title: SRG-OS-000062

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.