The applications must use internal system clocks to generate time stamps for audit records.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69477	APSC-DV-001250	SV-84099r1_rule		Medium

Description
Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. If the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose.

Description

Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. If the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2018-04-03

Details

Check Text ( C-69895r1_chk )
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. Ensure the time written into the logs coincides with the OS timeclock. Access random audit records and review the most recent logs. Access the system OS hosting the application and use the related OS commands to determine the time of the system. Perform an action in the application that causes a log event to be written and review the log to ensure the system times and the application log times correlate; compensating for any time delays that may have occurred between running the OS time command and running the application action. If the application doesn't use the internal system clocks to generate time stamps for the audit event logs, this is a finding.

Check Text ( C-69895r1_chk )

Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration.

Identify the application components and the logs associated with the components.

Ensure the time written into the logs coincides with the OS timeclock.

Access random audit records and review the most recent logs.

Access the system OS hosting the application and use the related OS commands to determine the time of the system.

Perform an action in the application that causes a log event to be written and review the log to ensure the system times and the application log times correlate; compensating for any time delays that may have occurred between running the OS time command and running the application action.

If the application doesn't use the internal system clocks to generate time stamps for the audit event logs, this is a finding.

Fix Text (F-75653r1_fix)
Configure the application to use the hosting systems internal clock for audit record generation.