STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 8.0 ESXi Security Technical Implementation Guide

V-258745

CAT II (Medium)

The ESXi host must synchronize internal information system clocks to an authoritative time source.

Rule ID

SV-258745r933296_rule

STIG

VMware vSphere 8.0 ESXi Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001891, CCI-002046

Discussion

To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including time-based logon and activity restrictions, automated reports, system logs, and audit records, depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value. Satisfies: SRG-OS-000355-VMM-001330, SRG-OS-000356-VMM-001340

Check Content

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Time Configuration.

Verify NTP or PTP are configured, and one or more authoritative time sources are listed.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Services.

Verify the NTP or PTP service is running and configured to start and stop with the host.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-VMHostNTPServer
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon" -or $_.Label -eq "PTP Daemon"}

If the NTP service is not configured with authoritative DOD time sources or the service is not configured to start and stop with the host ("Policy" of "on" in PowerCLI) or is stopped, this is a finding.

If PTP is used instead of NTP, this is not a finding.

Fix Text

To configure NTP, perform the following:

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Time Configuration.

Click "Add Service" and select "Network Time Protocol".

Enter or update the NTP servers listed with a comma-separated list of authoritative time servers. Click "OK".

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Services.

Select the "NTP Daemon" service and click "Edit Startup Policy".

Select "Start and stop with host". Click "OK".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$NTPServers = "ntpserver1","ntpserver2"
Get-VMHost | Add-VMHostNTPServer $NTPServers
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService

To configure PTP, perform the following:

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Time Configuration.

Click "Add Service" and select "Precision Time Protocol".

Select the network adapter that can receive the PTP traffic.

If NTP servers are available, select "Enable fallback" and enter or update the NTP servers listed with a comma separate list of authoritative time servers. Click "OK".

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Services.

Select the "PTP Daemon" service and click "Edit Startup Policy".

Select "Start and stop with host". Click "OK".