2.2.2 Ensure Time Is Set Within Appropriate Limits

Information

Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems, the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict, so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed.

If there are consistent drift issues on the OS, some of the most common drift issues should be investigated:

The chosen time server is not reachable based on network firewall rules on the current network

The computer is offline often and the battery drains, and the network is not immediately available

The chosen time server is a special internal or non-public time server that does not provide a reliable time source

Note: ntpdate has been deprecated with 10.14. sntp replaces that command.

Rationale:

Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.

Impact:

Accurate time is required for many computer functions.

Solution

Run the following commands to ensure your time is set within an appropriate limit:

$ sudo systemsetup -getnetworktimeserver

The output will include Network Time Server: and the name of your time server
example: Network Time Server: time.apple.com.

$ sudo sntp -sS <your.time.server>

example:

$ sudo systemsetup -getnetworktimeserver

Network Time Server: time.apple.com

$ sudo sntp -sS time.apple.com

Additional Information:

The associated check will fail if no network connection is available.

See Also

https://workbench.cisecurity.org/files/4002