Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239301 | ESXI-67-000046 | SV-239301r674832_rule | Medium |
Description |
---|
To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based logon and activity restrictions, automated reports, system logs, and audit records, depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value. Satisfies: SRG-OS-000355-VMM-001330, SRG-OS-000356-VMM-001340 |
STIG | Date |
---|---|
VMware vSphere 6.7 ESXi Security Technical Implementation Guide | 2021-03-17 |
Check Text ( C-42534r674830_chk ) |
---|
From the vSphere Client, select the ESXi host and go to Configure >> System >> Time Configuration. Click "Edit" to verify the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources or the service does not have a "Policy" of "on" or is stopped, this is a finding. |
Fix Text (F-42493r674831_fix) |
---|
From the vSphere Client, select the ESXi host and go to Configure >> System >> Time Configuration. Click "Edit" to configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService |