The macOS system must be configured to use an authorized time server.

STIG ID: APPL-15-000170  |  SRG: SRG-OS-000355-GPOS-00143 |  Severity: medium |  CCI: CCI-004923,CCI-004926 |  Vulnerability Id: V-268449

Vulnerability Discussion

An approved time server must be the only server configured for use. As of macOS 10.13, only one time server is supported.

This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144

Check

Verify the macOS system is configured to use an authorized time server with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('timeServer').js
EOS

If the result is not an authoritative time server that is synchronized with redundant USNO time servers as designated for the appropriate DOD network, this is a finding.

Fix

Configure the macOS system to use an authorized time server by installing the "com.apple.MCX" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.