mediumauditverified ✓rollback-safe
Audit system time changes
audit-time-change · RHEL ≥ 8 · 1 impl
Description
Changes to system time must be audited. Time modifications can be used to cover up malicious activity by altering log timestamps.
Rationale
Auditing time changes provides forensic evidence of attempts to manipulate system time, which could indicate an attempt to hide unauthorized activity.
Check → Remediate
Checkcommand
rules=$(auditctl -l 2>/dev/null) echo "$rules" | grep -qE '^-a always,exit.*-S.*adjtimex' && \ echo "$rules" | grep -qE '^-a always,exit.*-S.*settimeofday' && \ echo "$rules" | grep -qE '^-a always,exit.*-S.*clock_settime'
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
- persist_file:
- /etc/audit/rules.d/50-time-change.rules
Framework references
CIS
rhel8 6.3.3.4rhel9 6.3.3.4rhel10 6.3.3.4
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#time