Details

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference.

The organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.

Solution

Configure the network device to synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

Configuration Example:
switch(config)#ntp server HOST
switch(config)#ntp server HOST prefer

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_DCS-7000_Series_Y20M07_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Arista.

References

• 800-53|AU-8(1)(b)
• CAT|II
• CCI|CCI-002046
• Group-ID|V-60863
• Rule-ID|SV-75321r1_rule
• STIG-ID|AMLS-NM-000270
• Vuln-ID|V-60863

Source

• Tenable.com/audits