The DBMS must use system clocks to generate timestamps for audit records.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32391	SRG-APP-000116-DB-000057	SV-42728r1_rule		Medium

Description
Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Timestamps generated by the information system shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. If time sources other than the system time are used for audit records the timeline of events can get skewed. This makes forensic analysis of the logs much more unreliable.

Description

Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Timestamps generated by the information system shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. If time sources other than the system time are used for audit records the timeline of events can get skewed. This makes forensic analysis of the logs much more unreliable.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40833r1_chk )
Review DBMS settings to determine if audit logs are being recorded with time pulled from the underlying system. If timestamps on audit logs are based on something other than the system clock or a database clock synchronized with the system clock, this is a finding.

Fix Text (F-36306r1_fix)
Modify DBMS settings to stamp audit records only with timestamps based on the underlying system clock or on a database clock synchronized with the system clock.