Check: AOSX-13-000330
Apple OS X 10.13 STIG:
AOSX-13-000330
(in versions v2 r5 through v1 r4)
Title
The macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS). (Cat II impact)
Discussion
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
Check Content
The Network Time Protocol (NTP) service must be enabled on all networked systems. To check if the service is running, use the following command: /usr/bin/sudo /bin/launchctl list | grep com.apple.timed 83 0 com.apple.timed If nothing is returned, this is a finding. To verify that an authorized NTP server is configured, run the following command or examine "/etc/ntp.conf": /usr/bin/sudo /usr/bin/grep ^server /etc/ntp.conf server ntp.usno.navy.mil server ntp.usnogps.navy.mil Note: Only approved time servers should be configured for use. If no server is configured, or if an unapproved time server is in use, this is a finding.
Fix Text
To enable the NTP service, run the following command: /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist To configure one or more time servers for use, edit "/etc/ntp.conf" and enter each hostname or IP address on a separate line, prefixing each one with the keyword "server".
Additional Identifiers
Rule ID: SV-214838r609363_rule
Vulnerability ID: V-214838
Group Title: SRG-OS-000355-GPOS-00143
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001891 |
The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. |
CCI-002046 |
The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period. |
Controls
Number | Title |
---|---|
AU-8 (1) |
Synchronization With Authoritative Time Source |