The F5 BIG-IP appliance must be configured to synchronize internal information system clocks using redundant authoritative time sources.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266076	F5BI-DM-300036	F5BI-DM-300036	SV-266076r1024608_rule	2024-09-20	1

Description
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Description

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

ℹ️ Check
From the BIG-IP Console, issue the following commands: tmsh list sys ntp include #Verify there is a line similar to the following with more than one "server" listed #server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> If the BIG-IP appliance is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

ℹ️ Check

From the BIG-IP Console, issue the following commands: tmsh list sys ntp include #Verify there is a line similar to the following with more than one "server" listed #server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> If the BIG-IP appliance is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

✔️ Fix
From the BIG-IP Console, issue the following commands: tmsh edit sys ntp all-properties #Replace the "include" section with the following (add as many ntp server lines as necessary for the environment): include "server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys>" tmsh save sys config

✔️ Fix

From the BIG-IP Console, issue the following commands: tmsh edit sys ntp all-properties #Replace the "include" section with the following (add as many ntp server lines as necessary for the environment): include "server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys>" tmsh save sys config