The mobile operating system must produce audit records containing date and timestamps (to one second resolution) for every event.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32954	SRG-OS-000038-MOS-000014	SV-43352r1_rule		Low

Description
Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Without sufficient information establishing when the audit events occurred, investigation into the cause of events is severely hindered. The inclusion of timestamps enables correlation of events across disparate systems, which can be critical to isolating IA incidents and developing appropriate countermeasures. Date and timestamp should be from a global time reference format to ensure geographic changes do not distort records.

Description

Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Without sufficient information establishing when the audit events occurred, investigation into the cause of events is severely hindered. The inclusion of timestamps enables correlation of events across disparate systems, which can be critical to isolating IA incidents and developing appropriate countermeasures. Date and timestamp should be from a global time reference format to ensure geographic changes do not distort records.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41255r1_chk )
Review the audit logs for timestamps with a resolution of at least one second (i.e., the entry shows the date and time to the second it occurred) using a global time reference. If any log entry does not have a timestamp with a resolution of at least one second, this is a finding.

Fix Text (F-36869r1_fix)
Modify the audit configuration to include timestamps for audit entries using a global time reference.