SV-100163r1_rule
V-89513
SRG-OS-000062-GPOS-00031
VRAU-SL-000200
CAT II
10
To configure the system to audit attempts to alter time via the /etc/localtime file, run the following command:
echo '-w /etc/localtime -p wa -k localtime' >> /etc/audit/audit.rules
Or run the following command to implement all logging requirements:
# /etc/dodscript.sh
To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:
# auditctl -l | grep "watch=/etc/localtime"
If the system is configured to audit this activity, it will return.
LIST_RULES: exit,always watch=/etc/localtime perm=wa key=localtime
If no line is returned, this is a finding.
V-89513
False
VRAU-SL-000200
To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:
# auditctl -l | grep "watch=/etc/localtime"
If the system is configured to audit this activity, it will return.
LIST_RULES: exit,always watch=/etc/localtime perm=wa key=localtime
If no line is returned, this is a finding.
M
3459