MEDIUM RHCOS (Node) M6: Audit Rules - Time Modifications P2

PASS (vanilla RHCOS 9.8+) CNF-22622

Overview

This remediation configures audit rules to monitor system time modifications, which are critical for maintaining accurate audit logs and detecting tampering.

Settings

Rule Description
adjtimex Audit fine-grained time adjustments
clock_settime Audit clock setting operations
settimeofday Audit time-of-day changes
stime Audit legacy time setting
/etc/localtime Watch for localtime file changes

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-time-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-time-change.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Time change monitoring
              -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
              -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
              -a always,exit -F arch=b64 -S clock_settime -k time-change
              -a always,exit -F arch=b32 -S clock_settime -k time-change
              -w /etc/localtime -p wa -k time-change

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-time-adjtimex E8 📖
rhcos4-e8-worker-audit-rules-time-clock-settime E8 📖
rhcos4-e8-worker-audit-rules-time-settimeofday E8 📖
rhcos4-e8-worker-audit-rules-time-stime E8 📖
rhcos4-e8-worker-audit-rules-time-watch-localtime E8 📖

Source Remediation Files (5)

  • medium/rhcos4-e8-worker-audit-rules-time-adjtimex.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-clock-settime.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-settimeofday.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-stime.yaml
  • medium/rhcos4-e8-worker-audit-rules-time-watch-localtime.yaml

Security Impact

Time modification auditing is critical because:

  • Attackers may alter time to invalidate security certificates
  • Time changes can corrupt audit log sequencing
  • Accurate timestamps are essential for forensic analysis
← M5 All Groups M7 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only