Configure Systemd Timesyncd Servers

An XCCDF Rule

Description

systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. The systemd-timesyncd daemon implements: - Implements an SNTP client - Runs with minimal privileges - Saves the current clock to disk every time a new NTP sync has been acquired - Is hooked up with networkd to only operate when network connectivity is available Add or edit server or pool lines to /etc/systemd/timesyncd.conf as appropriate:

server <remote-server>

Multiple servers may be configured.

Rationale

Configuring systemd-timesyncd ensures time synchronization is working properly.

ID: xccdf_org.ssgproject.content_rule_service_timesyncd_configured
Severity: Medium
References: BP28(R43)

CCI-001891

Req-10.4.3

Req-10.6.2

2.2.1.2

CCE-92538-8
Updated: 8 months ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-92538-8
  - PCI-DSS-Req-10.4.3  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured
- name: XCCDF Value var_multiple_time_servers # promote to variable
  set_fact:
    var_multiple_time_servers: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" use="legacy"/>
  tags:
    - always

- name: Configure Systemd Timesyncd Servers - Set Primary NTP Servers
  ansible.builtin.set_fact:
    preferred_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| first
      | join(",") }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92538-8
  - PCI-DSS-Req-10.4.3
  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Set Fallback NTP Servers
  ansible.builtin.set_fact:
    fallback_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| list
      | last | join(",") }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92538-8
  - PCI-DSS-Req-10.4.3
  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Add missing / update wrong records for
    NTP servers
  ansible.builtin.lineinfile:
    path: /etc/systemd/timesyncd.d/oscap-remedy.conf
    regexp: ^\s*NTP\s*=
    state: present
    line: NTP={{ preferred_ntp_servers }}
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92538-8
  - PCI-DSS-Req-10.4.3
  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Add missing / update wrong records for
    fallback servers
  ansible.builtin.lineinfile:
    path: /etc/systemd/timesyncd.d/oscap-remedy.conf
    regexp: ^\s*FallbackNTP\s*=
    state: present
    line: FallbackNTP={{ fallback_ntp_servers }}
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92538-8
  - PCI-DSS-Req-10.4.3
  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then

var_multiple_time_servers='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" use="legacy"/>'

IFS=',' read -r -a time_servers_array <<< "$var_multiple_time_servers"preferred_ntp_servers_array=("${time_servers_array[@]:0:2}")
preferred_ntp_servers=$( echo "${preferred_ntp_servers_array[@]}"|sed -e 's/\s\+/,/g' )
fallback_ntp_servers_array=("${time_servers_array[@]:2}")
fallback_ntp_servers=$( echo "${fallback_ntp_servers_array[@]}"|sed -e 's/\s\+/,/g' )

IFS=" " mapfile -t current_cfg_arr < <(ls -1 /etc/systemd/timesyncd.d/* 2>/dev/null)
config_file="/etc/systemd/timesyncd.d/oscap-remedy.conf"
current_cfg_arr+=( "/etc/systemd/timesyncd.conf" )
# Comment existing NTP FallbackNTP settings
for current_cfg in "${current_cfg_arr[@]}"
do
    sed -i 's/^NTP/#&/g' "$current_cfg"
    sed -i 's/^FallbackNTP/#&/g' "$current_cfg"
done
# Create /etc/systemd/timesyncd.d if it doesn't exist
if [ ! -d "/etc/systemd/timesyncd.d" ]
then 
    mkdir /etc/systemd/timesyncd.d
fi
# Set primary fallback NTP servers in drop-in configuration
echo "NTP=$preferred_ntp_servers" >> "$config_file"
echo "FallbackNTP=$fallback_ntp_servers" >> "$config_file"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Systemd Timesyncd Servers

Description

Rationale

Remediation - Ansible

Remediation - Shell Script