[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-91992-8

Platform: cpe:/o:ubuntu:ubuntu_linux:16.04Date: (C)2018-07-09   (M)2023-07-04



Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier time-change Rationale: Unexpected changes in system date and/or time could be a sign of malicious activity on the system.


Parameter:

[yes/no]


Technical Mechanism:

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd

CCSS Severity:CCSS Metrics:
CCSS Score : 5.1Attack Vector: LOCAL
Exploit Score: 2.5Attack Complexity: LOW
Impact Score: 2.5Privileges Required: NONE
Severity: MEDIUMUser Interaction: NONE
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NScope: UNCHANGED
 Confidentiality: LOW
 Integrity: LOW
 Availability: NONE
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:46253


OVAL    1
oval:org.secpod.oval:def:46253
XCCDF    1
xccdf_org.secpod_benchmark_general_Ubuntu_16_04

© SecPod Technologies