Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Depending on the infrastructure in use, the "pool" directive may not be supported.
Verify Amazon Linux 2023 chrony service specifies a maximum interval of 24 hours between requests sent to a United States Naval Observatory (USNO) server with the following command:
Note: <USNO/DOD Server> is used in place of a time source IP address.
If the "maxpoll" option is not configured, set to a number greater than 16, or the line is commented out, this is a finding.
Verify Amazon Linux 2023 chrony service is configured to use authoritative USNO or appropriate DOD time source with the following command:
$ sudo grep -i server /etc/chrony.conf server <USNO/DOD Server>
If the parameter "server" is not set or is not set to an authoritative USNO/DOD time source, this is a finding.
Fix
Configure Amazon Linux 2023 to compare internal information system clocks at least every 24 hours with an NTP server. Ensure the following line is added or updated in "/etc/chrony.conf":