Profile Applicability:
Level 2
Description:
Events that modify date and time settings can indicate unauthorized changes or malicious activity. Ensuring these events are collected allows for better auditing and monitoring of system integrity and security.
Rationale:
Collecting date and time modification events provides visibility into potential security incidents such as tampering with logs or system time, which can affect system authentication and auditing processes.
Impact:
Pros:
Enhances security by tracking and auditing any changes to system time.
Helps identify potential tampering with system logs or authentication mechanisms.
Cons:
Increases logging overhead, requiring efficient log management.
Default Value:
Events that modify date and time information are typically not logged by default unless explicitly configured.
Pre-requisites:
Root or sudo privileges to configure audit logging.
Remediation:
Test Plan:
Using Linux command line:
Check existing audit rules for date and time modification events:
auditctl -l | grep time
Verify that the audit rules are configured to capture events related to date and time modifications.
Implementation Plan:
Using Linux command line:
Add audit rules to capture date and time modifications:
auditctl -w /etc/localtime -p wa -k time-modification auditctl -w /etc/adjtime -p wa -k time-modification
Verify that rules have been added:
auditctl -l | grep time
Backout Plan:
Using Linux command line:
Remove audit rules for time and date modification:
auditctl -W /etc/localtime -p wa -k time-modification auditctl -W /etc/adjtime -p wa -k time-modification
Verify removal:
auditctl -l | grep time
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Documentation
NIST SP 800-53 Revision 5 - AU-6