Rule ID
SV-237972r649756_rule
Version
V2R2
CCIs
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Determine if Clock synchronization software is use. If there is no Clock synchronization software in use, this is a finding. Determine if configuration allows for the synchronizing internal Clock to authoritative source. If software is improperly configured, this is a finding.
Configure Clock synchronizing software to compare internal clock to authoritative source at least every 24 hours and when time difference is greater than one second.