{"description": "\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>", "rationale": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.4.2.b"], "anssi": ["R73"], "cis": ["6.3.3.4"], "ism": ["0582"], "pcidss4": ["10.6.3", "10.6"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.4"], "ism": ["0582"], "pcidss4": ["10.6.3", "10.6"]}, "components": [], "identifiers": {}, "ocil_clause": "the system is not configured to audit time changes", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/etc/localtime\" with the following command:\n\n$ sudo auditctl -l | grep /etc/localtime\n\n-w /etc/localtime -p wa -k audit_time_rules", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to Alter the localtime File", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/etc/localtime", "key": "audit_time_rules"}, "backends": {}}}