CCE-94254-0Platform: rhel8 | Date: (C)2019-11-07 (M)2022-10-10 |
Record Attempts to Alter Time Through stime
If the 'auditd' daemon is configured to use the
'augenrules' program to read audit rules during daemon startup (the
default), add the following line to a file with suffix '.rules' in the
directory '/etc/audit/rules.d' for both 32 bit and 64 bit systems:
'-a always,exit -F arch=b32 -S stime -k audit_time_rules'
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
'auditd' daemon is configured to use the 'auditctl' utility to
read audit rules during daemon startup, add the following line to
'/etc/audit/audit.rules' file for both 32 bit and 64 bit systems:
'-a always,exit -F arch=b32 -S stime -k audit_time_rules'
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
'-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules'
Parameter:
Technical Mechanism:
Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
Fix:
No Remediation Info
CCSS Severity: | CCSS Metrics: |
CCSS Score : | Attack Vector: |
Exploit Score: | Attack Complexity: |
Impact Score: | Privileges Required: |
Severity: | User Interaction: |
Vector: | Scope: |
| Confidentiality: |
| Integrity: |
| Availability: |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:55695 |