STIGQter: STIG Summary: Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020:

AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.

DISA Rule

SV-95595r1_rule

Vulnerability Number

V-80885

Group Title

SRG-APP-000516-AAA-000360

Rule Version

SRG-APP-000516-AAA-000360

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001891 - The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

Weight

10

Fix Recommendation

Configure AAA Services to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm. When AAA Services are not capable of using FIPS-approved message authentication code algorithms, configure AAA Services to use MD5 message authentication code algorithms.

Check Contents

Verify AAA Services are configured to authenticate all NTP messages received from NTP servers and peers.

The NTP server or peer authentication must use a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. AAA Services may leverage the capability of an operating system.

If AAA Services are not configured to authenticate all NTP messages using a FIPS-approved message authentication code algorithm, this is a finding.

If AAA Services are not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, but are configured to use an MD5 for NTP message authentication, this is downgraded to a CAT III.

Vulnerability Number

V-80885

Documentable

False

Rule Version

SRG-APP-000516-AAA-000360

Severity Override Guidance

Verify AAA Services are configured to authenticate all NTP messages received from NTP servers and peers.

The NTP server or peer authentication must use a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. AAA Services may leverage the capability of an operating system.

If AAA Services are not configured to authenticate all NTP messages using a FIPS-approved message authentication code algorithm, this is a finding.

If AAA Services are not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, but are configured to use an MD5 for NTP message authentication, this is downgraded to a CAT III.

Check Content Reference

M

Target Key

3357

Comments