The operating system must synchronize internal information system clocks at least once every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-47985	SOL-11.1-090020	SV-60857r1_rule		Medium

Description
To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.

Description

To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2015-04-03

Details

Check Text ( C-50421r3_chk )
Check the system for a running NTP daemon or the root crontab for an ntpdate entry. # svcs -Ho state ntp If NTP is not online, this is a finding. If NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative U.S. DoD source. For the NTP daemon # more /etc/inet/ntp.conf If a non-local/non-authoritative (non-U.S. DoD source, non-USNO-based, or non-GPS) time server is used, this is a finding. Determine if the time synchronization frequency is correct. # grep "maxpoll" /etc/inet/ntp.conf If the command returns "File not found" or any value for maxpoll, this is a finding. Determine if the running NTP server is configured properly. # ntpq -p \| awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1" "$6 }' This will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.

Check Text ( C-50421r3_chk )

Check the system for a running NTP daemon or the root crontab for an ntpdate entry.

# svcs -Ho state ntp

If NTP is not online, this is a finding.

If NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative U.S. DoD source.

For the NTP daemon

# more /etc/inet/ntp.conf

If a non-local/non-authoritative (non-U.S. DoD source, non-USNO-based, or non-GPS) time server is used, this is a finding.

Determine if the time synchronization frequency is correct.

# grep "maxpoll" /etc/inet/ntp.conf

If the command returns "File not found" or any value for maxpoll, this is a finding.

Determine if the running NTP server is configured properly.

# ntpq -p | awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1" "$6 }'

This will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.

Fix Text (F-51597r1_fix)
The root role is required. To activate the ntpd daemon, the ntp.conf file must first be created. # cp /etc/inet/ntp.client /etc/inet/ntp.conf # pfedit /etc/inet/ntp.conf Make site-specific changes to this file as needed in the form. server [ntpserver] Locate the line containing maxpoll (if it exists). Delete the line. Start the ntpd daemon. # svcadm enable ntp Use a local authoritative time server synchronizing to an authorized DoD time source, a USNO-based time server, or a GPS. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server. Edit the NTP configuration files and make the necessary changes to add the approved time servers per Solaris documentation.

Fix Text (F-51597r1_fix)

The root role is required.

To activate the ntpd daemon, the ntp.conf file must first be created.

# cp /etc/inet/ntp.client /etc/inet/ntp.conf

# pfedit /etc/inet/ntp.conf

Make site-specific changes to this file as needed in the form.

server [ntpserver]

Locate the line containing maxpoll (if it exists).
Delete the line.

Start the ntpd daemon.

# svcadm enable ntp

Use a local authoritative time server synchronizing to an authorized DoD time source, a USNO-based time server, or a GPS. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server.

Edit the NTP configuration files and make the necessary changes to add the approved time servers per Solaris documentation.