AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266953 | ARBA-ND-000298 | SV-266953r1039880_rule | Medium |
| Description |
| The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source. |
| STIG | Date |
| HPE Aruba Networking AOS NDM Security Technical Implementation Guide | 2024-10-29 |
Details
| Check Text (C-70877r1039878_chk) |
| Verify the AOS configuration with the following command: show ntp servers If at least two NTP servers are not configured, this is a finding. |
| Fix Text (F-70780r1039879_fix) |
| Configure AOS with the following commands: configure terminal ntp authentication-key (keyid #> sha1 <plaintext key> ntp trusted-key <keyid #> ntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> ntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> ntp authenticate write memory |