On 10/9/13 10:58 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank <[email protected]>
---
RHEL6/input/services/ntp.xml | 32 ++++++++++++++------------------
1 files changed, 14 insertions(+), 18 deletions(-)
diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml
index 3a8aba2..ee6e6c2 100644
--- a/RHEL6/input/services/ntp.xml
+++ b/RHEL6/input/services/ntp.xml
@@ -7,20 +7,17 @@ protocols can be used both to ensure that time is consistent
among
a network of machines, and that their time is consistent with the
outside world.
<br /><br />
-Local time synchronization is recommended for all networks.
-If every machine on your network reliably reports the same time as
-every other machine, then it is much easier to correlate log
-messages in case of an attack. In addition, a number of
-cryptographic protocols (such as Kerberos) use timestamps to
-prevent certain types of attacks. If your network does not have
-synchronized time, these protocols may be unreliable or even
-unusable.
+If every system on a network reliably reports the same time, then it is much
+easier to correlate log messages in case of an attack. In addition, a number of
+cryptographic protocols (such as Kerberos) use timestamps to prevent certain
+types of attacks. If your network does not have synchronized time, these
+protocols may be unreliable or even unusable.
<br /><br />
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
-network is connected to the Internet, it is recommended that you make use of a
-public timeserver or one provided by your enterprise or agency, since globally
-accurate timestamps may be necessary if you need to investigate or respond to
+network is connected to the Internet, using a
+public timeserver (or one provided by your enterprise) provides globally
+accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
<br /><br />
A typical network setup involves a small number of internal systems operating
as NTP
@@ -65,17 +62,16 @@ This instructs the NTP software to contact that remote
server to obtain time
data.
</description>
<ocil clause="this is not the case">
-A remote NTP server should be configured for time synchronization. To verify
-one is configured, open the following file:
+To verify that a remote NTP service is configured for time synchronization,
+open the following file:
<pre>/etc/ntp.conf</pre>
In the file, there should be a section similar to the following:
-<pre># --- OUR TIMESERVERS -----
-server <i>ntpserver</i></pre>
+<pre>server <i>ntpserver</i></pre>
</ocil>
-<rationale> Synchronizing with an NTP server makes it possible
+<rationale>Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
-real time events. Using a trusted NTP server provided by your organization is
-recommended.</rationale>
+real time events.
+</rationale>
<ident cce="27098-3" />
<oval id="ntp_remote_server" />
<ref nist="AU-8(1)" disa="160" />
ack
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
