CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76259	CACT-NM-000036	SV-90947r1_rule		Medium

Description
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Description

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

STIG	Date
ForeScout CounterACT NDM Security Technical Implementation Guide	2017-09-19

Details

Check Text ( C-75945r1_chk )
Check the network device configuration to determine if the device compares internal information system clocks at least every 24 hours with an authoritative time server. 1. Open an SSH session and authenticate to the CounterACT command line. 2. Verify the configured NTP servers with the command "fstool ntp". 3. Run the "date" command to look at the current system time compared to the known good, Network Time Protocol (NTP) server time. If the device does not compare internal information system clocks at least every 24 hours, this is a finding.

Check Text ( C-75945r1_chk )

Check the network device configuration to determine if the device compares internal information system clocks at least every 24 hours with an authoritative time server.

1. Open an SSH session and authenticate to the CounterACT command line.
2. Verify the configured NTP servers with the command "fstool ntp".
3. Run the "date" command to look at the current system time compared to the known good, Network Time Protocol (NTP) server time.

If the device does not compare internal information system clocks at least every 24 hours, this is a finding.

Fix Text (F-82895r1_fix)
Configure CounterACT to compare internal information system clocks at least every 24 hours with an authoritative time server. 1. Open an SSH session and authenticate to CounterACT command line. 2. Configure the NTP servers with the command "fstool ntp setup ".