Disable ntpdate Service (ntpdate)
An XCCDF Rule
Description
The ntpdate
service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
/etc/ntp/step-tickers
or /etc/ntp.conf
and then sets the local hardware clock to the newly synchronized
system time.
The ntpdate
service can be disabled with the following command:
$ sudo systemctl mask --now ntpdate.service
Rationale
The ntpdate
service may only be suitable for systems which
are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated.
- ID
- xccdf_org.ssgproject.content_rule_service_ntpdate_disabled
- Severity
- Low
- References
- Updated
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["ntpdate"]
Remediation - Puppet
include disable_ntpdate
class disable_ntpdate {
service {'ntpdate':
enable => false,
ensure => 'stopped',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'ntpdate.service'
"$SYSTEMCTL_EXEC" disable 'ntpdate.service'
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - Ansible
- name: Block Disable service ntpdate
block:
- name: Disable service ntpdate
block: