Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage.

From Central Log Server Security Requirements Guide

Associated with: CCI-000174

SV-95823r1_rule Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage.

Vulnerability discussion

If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. If the SIEM or other Central Log Server is out of sync with the host and devices for which it stores event logs, this may impact the accuracy of the records stored.Log records are time correlated if the time stamps in the individual log records can be reliably related to the time stamps in other log records to achieve a time ordering of the records within an organization-defined level of tolerance.This requirement applies only to applications that compile system-wide log records for multiple systems or system components.Note: The actual configuration and security requirements for NTP is handled in the host OS or NDM STIGs that are also required as part of a Central Log Server review.

Check content

Examine the time stamp that indicates when the Central Log Server received the log records. Verify the time is synchronized to within one second of the host server. If an NTP client is configured within the Central Log Server application, verify it is configured to use the same NTP time source as the host and devices within its scope of coverage. If time stamps recorded on the log records in the Central Log Server are not configured to synchronize to within one second of the host server or the log server application is not configured to use the same NTP time source as the host and devices within its scope of coverage, this is a finding.

Fix text

Configure the Central Log Server such that time stamps on the log records are synchronized to within one second of the host server. If applicable, configure the Central Log Server NTP client to use the same NTP time source as the host and devices within its scope of coverage.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.