# SPDX-FileCopyrightText: 2025 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
# ------------------------------------------------------------------
# METADATA
# ------------------------------------------------------------------
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.130278");
script_version("2025-11-21T05:40:28+0000");
script_tag(name:"last_modification", value:"2025-11-21 05:40:28 +0000 (Fri, 21 Nov 2025)");
script_tag(name:"creation_date", value:"2025-05-07 11:44:17 +0000 (Wed, 07 May 2025)");
script_tag(name:"cvss_base", value:"0.0");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:H/Au:S/C:N/I:N/A:N");
script_tag(name:"qod", value:"97");
script_name("Configure Audit Rules for Time Changes");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2025 Greenbone AG");
script_family("Policy");
script_dependencies("compliance_tests.nasl", "compliance_os_check.nasl");
script_mandatory_keys("Compliance/Launch", "policy/ssh/login/euleros_openeuler");
script_xref(name:"Policy", value:"EulerOS Baseline: openEuler Security Configuration Baseline (v1.0.0): 4. Log Audit: 4.1 Audit: 4.1.15 Configure Audit Rules for Time Changes (Recommendation)");
script_xref(name:"Policy", value:"openEuler Baseline: openEuler Security Configuration Baseline (v1.0.0): 4. Log Audit: 4.1 Audit: 4.1.15 Configure Audit Rules for Time Changes (Recommendation)");
script_tag(name:"summary", value:"The system time is essential for the normal running of
services. The system time can be changed through synchronization with the time server and manual
operations of administrators. The latter is prone to attacks because attackers can change the
system time to invalidate some protection policies (such as password expiration) to launch attacks.
You are advised to audit the adjtimex, settimeofday, and clock_settime system calls to log system
time changes. In addition, audit the /etc/localtime file to log time zone changes. If audit is not
configured for time changes, the administrator cannot trace time changes from audit logs.
By default, audit rules for time changes are not configured in openEuler. You are advised to
configure rules based on the actual service scenario.");
exit(0);
}
include("ssh_func.inc");
include("host_details.inc");
include("policy_reporting_module.inc");
title = "Configure Audit Rules for Time Changes";
solution = "For a 32-bit system, create a rule file, for example, time.rules, in the
/etc/audit/rules.d/ directory and add audit rules to the file.
# vim /etc/audit/rules.d/time.rules
-a always,exit -F arch=b32 -S stime -S settimeofday -S adjtimex -S clock_settime -k
-w /etc/localtime -p wa -k
For a 64-bit system, add content related to arch=b64:
-a always,exit -F arch=b64 -S settimeofday -S adjtimex -S clock_settime -k
To ensure compatibility, the configuration related to arch=b32 in the 64-bit system must be
retained.
Restart the auditd service for the rules to take effect.
# service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start auditd.service";
check_type = "SSH_Cmd";
action = 'Run the command in the terminal:
# auditctl -l 2>/dev/null | grep -iE "adjtimex|settimeofday|clock_settime|localtime"';
expected_value = 'The output should not be empty';
# ------------------------------------------------------------------
# CONNECTION CHECK
# ------------------------------------------------------------------
if(!get_kb_item("login/SSH/success") || !sock = ssh_login_or_reuse_connection()){
report_ssh_error(title: title,
solution: solution,
action: action,
expected_value: expected_value,
check_type: check_type);
exit(0);
}
# ------------------------------------------------------------------
# CHECK : Verify command `auditctl -l | grep -iE "adjtimex|settimeofday|clock_settime|localtime"`
# ------------------------------------------------------------------
step_cmd = 'auditctl -l 2>/dev/null | grep -iE "adjtimex|settimeofday|clock_settime|localtime"';
actual_value = ssh_cmd(socket:sock, cmd:step_cmd, return_errors:TRUE, return_linux_errors_only:TRUE);
if(eregmatch(string: actual_value, pattern:"(No such file or directory|Permission denied|Command not found|Segmentation fault|service not found|is not running|syntax error near unexpected token|syntax error: unexpected end of file)", icase: TRUE)){
compliant = "incomplete";
comment = "Something went wrong during the audit check. Please try again.";
}else if(actual_value){
compliant = "yes";
comment = "Check passed";
}else{
compliant = "no";
comment = "Check failed";
}
# ------------------------------------------------------------------
# REPORT
# ------------------------------------------------------------------
target = get_kb_item("policy/ssh/login/os-release");
comment = "Target: " + target + "\n" + comment;
report_audit(action: action,
actual_value: actual_value,
expected_value: expected_value,
is_compliant: compliant,
solution: solution,
check_type: check_type,
title: title,
comment: comment);
exit(0);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation