{"description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
", "rationale": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.4.2.b"], "cis": ["6.3.3.4"], "ism": ["0582"], "pcidss4": ["10.6.3", "10.6"]}, "control_references": {"cis": ["6.3.3.4"], "ism": ["0582"], "pcidss4": ["10.6.3", "10.6"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\nsettimeofday system call, run the following command:\n$ sudo grep \"settimeofday\" /etc/audit/audit.*
\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record attempts to alter time through settimeofday", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml", "template": null}