MEDIUM RHCOS (Node) M6: Audit Rules - Time Modifications P2
Remediation required. This group (5 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
This remediation configures audit rules to monitor system time modifications, which are critical for maintaining accurate audit logs and detecting tampering.
Settings
| Rule | Description |
|---|---|
adjtimex |
Audit fine-grained time adjustments |
clock_settime |
Audit clock setting operations |
settimeofday |
Audit time-of-day changes |
stime |
Audit legacy time setting |
/etc/localtime |
Watch for localtime file changes |
Implementation
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-audit-time-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/audit/rules.d/75-time-change.rules
mode: 0644
overwrite: true
contents:
inline: |
## Time change monitoring
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-audit-rules-time-adjtimex |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-clock-settime |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-settimeofday |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-stime |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-time-watch-localtime |
E8 | 📖 |
Source Remediation Files (5)
- medium/rhcos4-e8-worker-audit-rules-time-adjtimex.yaml
- medium/rhcos4-e8-worker-audit-rules-time-clock-settime.yaml
- medium/rhcos4-e8-worker-audit-rules-time-settimeofday.yaml
- medium/rhcos4-e8-worker-audit-rules-time-stime.yaml
- medium/rhcos4-e8-worker-audit-rules-time-watch-localtime.yaml
Security Impact
Time modification auditing is critical because:
- Attackers may alter time to invalidate security certificates
- Time changes can corrupt audit log sequencing
- Accurate timestamps are essential for forensic analysis
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Time modification audit rules (5 syscalls) |
RAN | openshift/os | /etc/audit/rules.d/50-time-change.rules |
Tracks time changes that could be used to manipulate log timestamps for forensic evasion.
Scope: Time change auditing matters for forensic integrity but adds log volume on all nodes. |
Low |