{"description": "If the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt> for both 32 bit and 64 bit systems:\n<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>\nSince the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). If the\n<tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to\nread audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file for both 32 bit and 64 bit systems:\n<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>\nSince the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\nallows for the specification of a key in string form that can be used for\nbetter reporting capability through ausearch and aureport. Multiple system\ncalls can be defined on the same line to save space if desired, but is not\nrequired. See an example of multiple combined system calls:\n<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>", "rationale": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.4.2.b"], "anssi": ["R73"], "ism": ["0582"], "pcidss4": ["10.6.3", "10.6"]}, "control_references": {"anssi": ["R73"], "ism": ["0582"], "pcidss4": ["10.6.3", "10.6"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "If the system is not configured to audit time changes, this is a finding.\nIf the system is 64-bit only, this is not applicable<br />\nocil: |\nTo determine if the system is configured to audit calls to the\n<code>stime</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"stime\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not aarch64_arch and not s390x_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": ["not_aarch64_arch_and_not_s390x_arch"], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to Alter Time Through stime", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml", "template": null}