STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

DISA Rule

SV-208886r603263_rule

Vulnerability Number

V-208886

Group Title

SRG-OS-000062

Rule Version

OL6-00-000173

Severity

CAT III

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

Add the following to "/etc/audit/audit.rules":

-w /etc/localtime -p wa -k audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

Check Contents

To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:

$ sudo grep -w "/etc/localtime" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

If the system is not configured to audit time changes, this is a finding.

Vulnerability Number

V-208886

Documentable

False

Rule Version

OL6-00-000173

Severity Override Guidance

To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:

$ sudo grep -w "/etc/localtime" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

If the system is not configured to audit time changes, this is a finding.

Check Content Reference

M

Target Key

2928

Comments