AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-266953 | SRG-APP-000373-NDM-000298 | ARBA-ND-000298 | SV-266953r1039880_rule | 2024-10-29 | 1 |
| Description |
|---|
| The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source. |
| ℹ️ Check |
|---|
| Verify the AOS configuration with the following command: show ntp servers If at least two NTP servers are not configured, this is a finding. |
| ✔️ Fix |
|---|
| Configure AOS with the following commands: configure terminal ntp authentication-key (keyid #> sha1 <plaintext key> ntp trusted-key <keyid #> ntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> ntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> ntp authenticate write memory |