Vulnerability Discussion

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate.

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144

Check

Verify the macOS system is configured with the timed service enabled and an authorized time server with the following commands:

/usr/bin/sudo /usr/sbin/systemsetup -getusingnetworktime

Network Time: On

If "Network Time" is not set to "On", this is a finding.

/usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver

If no time server is configured, or if an unapproved time server is in use, this is a finding.

Fix

Configure the macOS system to enable the timed service and set an authorized time server with the following commands:

/usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on

/usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver "server"