Skip to content

Time security controls

Control : TIME-3104

Proper time synchronization is important for authentication services, forensics and troubleshooting. Therefore a time daemon (like ntpd) should be running, or a scheduled task to sync time (like ntpdate).

Control : TIME-3106

NTP is enabled, however timedatectl is not syncing time

Control : TIME-3116

Time servers are used to sync the time with the host. When a used server is not properly configured or not working, it will be listed as a stratum 16 server, giving it a very low priority. Usually when finding a server with a value of 16, the server should be checked or replaced with an alternative server.

Control : TIME-3120

Lynis tests if the used NTP server candidates are reliable enough to be used. If items show up with a dash or minus, they are unreliable and should be checked or replaced.The NTP configuration and time synchronization in particular, is important for systems. It helps with properly logging the actual time, which is needed for many services. Having the right time is also important for accounting purposes and forensics.

Control : TIME-3124

When only a local source is being used on a system, it might indicate that external sources are not reachable or usable. The NTP configuration and time synchronization in particular, is important for systems. It helps with properly logging the actual time, which is needed for many services. Having the right time is also important for accounting purposes and forensics.Check the NTP configuration of this system to determine the cause of this finding.

Control : TIME-3128

Lynis checks if the NTP time source candidates can be found in the peers overview. If not, then the configuration usually needs to be checked and updated. Differences between the active configuration and the one stored on disk, may result in a non-functional NTP configuration after reboot.

Control : TIME-3132

False-tickers are NTP sources which do not work properly (e.g. non-functional, time not accurate). Lynis checks for false-tickers to prevent systems using bad sources for time synchronization. This may otherwise result in incorrect timestamps in log files and accounting data.

Control : TIME-3136

The NTP protocol version is gathered by Lynis as an informational test. Only when Lynis is not being able to detect the version, it will provide a suggestion to check it manually.

Control : TIME-3160

Lynis checks if step-tickers are configured in /etc/ntp/step-tickers and compares them with the list of servers in the general NTP configuration file.