MEDIUM RHCOS (Node) M6: Audit Rules - Time Modifications P2
Overview
This remediation configures audit rules to monitor system time modifications, which are critical for maintaining accurate audit logs and detecting tampering.
Settings
| Rule | Description |
|---|---|
adjtimex |
Audit fine-grained time adjustments |
clock_settime |
Audit clock setting operations |
settimeofday |
Audit time-of-day changes |
stime |
Audit legacy time setting |
/etc/localtime |
Watch for localtime file changes |
Implementation
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-audit-time-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/audit/rules.d/75-time-change.rules
mode: 0644
overwrite: true
contents:
inline: |
## Time change monitoring
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-audit-rules-time-adjtimex |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-clock-settime |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-settimeofday |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-stime |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-watch-localtime |
E8 | 📖 |
Source Remediation Files (5)
- medium/rhcos4-e8-worker-audit-rules-time-adjtimex.yaml
- medium/rhcos4-e8-worker-audit-rules-time-clock-settime.yaml
- medium/rhcos4-e8-worker-audit-rules-time-settimeofday.yaml
- medium/rhcos4-e8-worker-audit-rules-time-stime.yaml
- medium/rhcos4-e8-worker-audit-rules-time-watch-localtime.yaml
Security Impact
Time modification auditing is critical because:
- Attackers may alter time to invalidate security certificates
- Time changes can corrupt audit log sequencing
- Accurate timestamps are essential for forensic analysis
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
Time modification audit rules (5 syscalls)
RAN
Low
openshift/os
/etc/audit/rules.d/50-time-change.rules
Tracks time changes that could be used to manipulate log timestamps for forensic evasion.
Scope: Time change auditing matters for forensic integrity but adds log volume on all nodes.
Scope: Time change auditing matters for forensic integrity but adds log volume on all nodes.
PR History
Time modification audit rules (5 syscalls)
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.