Title

Amazon Linux 2023 chrony must be configured with a maximum interval of 24 hours between requests sent to a USNO server or a time server designated for the appropriate DOD network. (Cat II impact)

Discussion

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Check Content

Verify Amazon Linux 2023 chrony service specifies a maximum interval of 24 hours between requests sent to a USNO server with the following command: Note: <USNO/DOD Server> is used in place of a time source IP address. $ sudo grep maxpoll /etc/chrony.conf server <USNO/DOD Server> iburst maxpoll 16 If the "maxpoll" option is not configured, commented out, or set to a number greater than 16 or the line is commented out then this is a finding. Verify Amazon Linux 2023 chrony service is configured to use authoritative USNO or appropriate DOD time source with the following command: $ sudo grep -i server /etc/chrony.conf server <USNO/DOD Server> If the parameter "server" is not set, or is not set to an authoritative USNO/DOD time source, then this is a finding.

Fix Text

Configure Amazon Linux 2023 to compare internal information system clocks at least every 24 hours with an NTP server. Ensure the following line is added or updated in /etc/chrony.conf: server DOD.ntp.server iburst maxpoll 16

Additional Identifiers

Rule ID: SV-274174r1120510_rule

Vulnerability ID: V-274174

Group Title: SRG-OS-000355-GPOS-00143

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.