ESX Server is not authenticating the time source with a hashing algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15836	ESX0400	SV-16775r1_rule		Medium

Description
Since NTP is used to ensure accurate log file timestamps for information, NTP could pose a security risk if a malicious user were able to falsify NTP information. Implementing authentication between NTP peers can mitigate this risk. When hashing authentication is enforced, there is a greater level of assurance that NTP updates are from a trusted source.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-16183r1_chk )
NTP authentication is used by time clients to authenticate the time server to prevent rogue server intervention. NTP authentication is based on encrypted keys. A key is encrypted and sent to the client by the server, where it is unencrypted and checked against the client key to ensure a match. NTP keys are stored in the ntp.keys file in the following format: Key-number M Key (The M stands for MD5 encryption), e.g.: 1 M secret 5 M RaBBit 7 M TiMeLy 10 M MYKEY The NTP configuration file ntp.conf specifies which of the keys are trusted. Any keys specified in the keys file but not trusted will not be used for authentication, e.g.: trustedkey 1 7 10 In this example, 5 is not trusted, only 1, 7, and 10 above. 1. On the ESX Server service console perform the following: # cat /etc/ntp.conf Review the configuration file to verify that the following are uncommented: authenticate yes …. keys /etc/ntp/keys If these are commented out, this is a finding. 2. Next verify that the trusted keys are configured in the ntp.conf file. trustedkey If none are listed, this is a finding. 3. Next, review the keys file located at /etc/ntp/keys by performing the following: # cat /etc/ntp/keys Verify that keys are listed in the keys file. File should look similar to the following: 5 M RaBBit 7 M TiMeLy 10 M MYKEY If no keys are configured here, this is a finding.

Check Text ( C-16183r1_chk )

NTP authentication is used by time clients to authenticate the time server to prevent rogue server intervention. NTP authentication is based on encrypted keys. A key is encrypted and sent to the client by the server, where it is unencrypted and checked against the client key to ensure a match.

NTP keys are stored in the ntp.keys file in the following format:
Key-number M Key (The M stands for MD5 encryption), e.g.:
1 M secret
5 M RaBBit
7 M TiMeLy
10 M MYKEY

The NTP configuration file ntp.conf specifies which of the keys are trusted. Any keys specified in the keys file but not trusted will not be used for authentication, e.g.:

trustedkey 1 7 10

In this example, 5 is not trusted, only 1, 7, and 10 above.

1. On the ESX Server service console perform the following:

# cat /etc/ntp.conf

Review the configuration file to verify that the following are uncommented:
authenticate yes
….
keys /etc/ntp/keys

If these are commented out, this is a finding.

2. Next verify that the trusted keys are configured in the ntp.conf file.
trustedkey

If none are listed, this is a finding.

3. Next, review the keys file located at /etc/ntp/keys by performing the following:

# cat /etc/ntp/keys

Verify that keys are listed in the keys file. File should look similar to the following:
5 M RaBBit 7 M TiMeLy 10 M MYKEY

If no keys are configured here, this is a finding.

Fix Text (F-15787r1_fix)
Configure the ESX Server to authenticate the time source.