2.2.2 Ensure time set is within appropriate limits


Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict,so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed.

Note: ntpdate has been deprecated with 10.14. sntp replaces that command.


Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.


Accurate time is required for many computer functions.


Run the following commands to ensure your time is set within an appropriate limit:

$ sudo systemsetup -getnetworktimeserver

The output will include Network Time Server: and the name of your time server
example: Network Time Server: time.apple.com.

$ sudo touch /var/db/ntp-kod

$ sudo chown root:wheel /var/db/ntp-kod

$ sudo sntp -sS <your.time.server>


$ sudo systemsetup -getnetworktimeserver

Network Time Server: time.apple.com

$ sudo touch /var/db/ntp-kod

$ sudo chown root:wheel /var/db/ntp-kod

$ sudo sntp -sS time.apple.com

Additional Information:

The associated check will fail if no network connection is available.

See Also


Item Details


References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: Unix

Control ID: 88367a417c5f1b91135ceb87d51753859e4007041cdf8ad7f99981abb01374bc