2.1 Ensure NTP time synchronization is configured properly

Information

Network Time Protocol (NTP) synchronization should be configured correctly and enabled on each VMware ESXi host to ensure accurate time for system event logs. The time sources used by the ESXi hosts should be in sync with an agreed-upon time standard such as Coordinated Universal Time (UTC). There should be at minimum two NTP sources in place, and they should sync whenever possible.

Rationale:

By ensuring that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard, it is simpler to track and correlate an intruder's actions when reviewing the relevant log files. Incorrect time settings can also make auditing inaccurate.

Solution

To enable and properly configure NTP synchronization, perform the following from the vSphere web client:

Select a host

Click Configure then expand System then select Time Configuration.

Select Edit next to Network Time Protocol

Select the Enable box, then fill in the appropriate NTP Servers.

in the NTP Service Startup Policy drop down select Start and stop with host.

Click OK.

To implement the recommended configuration state, run the following PowerCLI command:

# Set the NTP Settings for all hosts
# If an internal NTP server is used, replace pool.ntp.org with
# the IP address or the Fully Qualified Domain Name (FQDN) of the internal NTP server
$NTPServers = 'pool.ntp.org', 'pool2.ntp.org'
Get-VMHost | Add-VmHostNtpServer $NTPServers

See Also

https://workbench.cisecurity.org/files/3473