MEDIUM M6: Audit Rules - Time Modifications P2

Overview

This remediation configures audit rules to monitor system time modifications, which are critical for maintaining accurate audit logs and detecting tampering.

Settings

Rule Description
adjtimex Audit fine-grained time adjustments
clock_settime Audit clock setting operations
settimeofday Audit time-of-day changes
stime Audit legacy time setting
/etc/localtime Watch for localtime file changes

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-time-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-time-change.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Time change monitoring
              -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
              -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
              -a always,exit -F arch=b64 -S clock_settime -k time-change
              -a always,exit -F arch=b32 -S clock_settime -k time-change
              -w /etc/localtime -p wa -k time-change

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-time-adjtimex E8 📖
rhcos4-e8-worker-audit-rules-time-clock-settime E8 📖
rhcos4-e8-worker-audit-rules-time-settimeofday E8 📖
rhcos4-e8-worker-audit-rules-time-stime E8 📖
rhcos4-e8-worker-audit-rules-time-watch-localtime E8 📖

Source Remediation Files (5)

  • medium/rhcos4-e8-worker-audit-rules-time-adjtimex.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-clock-settime.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-settimeofday.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-stime.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-watch-localtime.yaml

Security Impact

Time modification auditing is critical because:

  • Attackers may alter time to invalidate security certificates
  • Time changes can corrupt audit log sequencing
  • Accurate timestamps are essential for forensic analysis
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only