UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ESX Server is not authenticating the time source with a hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15836 ESX0400 SV-16775r1_rule Medium
Description
Since NTP is used to ensure accurate log file timestamps for information, NTP could pose a security risk if a malicious user were able to falsify NTP information. Implementing authentication between NTP peers can mitigate this risk. When hashing authentication is enforced, there is a greater level of assurance that NTP updates are from a trusted source.
STIG Date
VMware ESX 3 Server 2016-05-13

Details

Check Text ( C-16183r1_chk )
NTP authentication is used by time clients to authenticate the time server to prevent rogue server intervention. NTP authentication is based on encrypted keys. A key is encrypted and sent to the client by the server, where it is unencrypted and checked against the client key to ensure a match.

NTP keys are stored in the ntp.keys file in the following format:
Key-number M Key (The M stands for MD5 encryption), e.g.:
1 M secret
5 M RaBBit
7 M TiMeLy
10 M MYKEY

The NTP configuration file ntp.conf specifies which of the keys are trusted. Any keys specified in the keys file but not trusted will not be used for authentication, e.g.:

trustedkey 1 7 10

In this example, 5 is not trusted, only 1, 7, and 10 above.

1. On the ESX Server service console perform the following:

# cat /etc/ntp.conf

Review the configuration file to verify that the following are uncommented:
authenticate yes
….
keys /etc/ntp/keys

If these are commented out, this is a finding.

2. Next verify that the trusted keys are configured in the ntp.conf file.
trustedkey

If none are listed, this is a finding.

3. Next, review the keys file located at /etc/ntp/keys by performing the following:

# cat /etc/ntp/keys

Verify that keys are listed in the keys file. File should look similar to the following:
5 M RaBBit 7 M TiMeLy 10 M MYKEY

If no keys are configured here, this is a finding.

Fix Text (F-15787r1_fix)
Configure the ESX Server to authenticate the time source.