Configure Systemd Timesyncd Root Distance Servers

An XCCDF Rule

Description

systemd-timesyncd server configuration should have RootDistanceMaxSec is listed in accordance with local policy. This setting describes the maximum estimated time required for a packet to travel to the server connected.

Rationale

Configuring systemd-timesyncd RootDistanceMaxSec ensures time synchronization is using servers that are close enough to the client.

ID: xccdf_org.ssgproject.content_rule_service_timesyncd_root_distance_configured
Severity: Medium
References: BP28(R43)

CCI-001891

Req-10.4.3

Req-10.6.2

2.2.1.2

CCE-92514-9
Updated: 8 months ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-92514-9
  - PCI-DSS-Req-10.4.3  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_root_distance_configured

- name: Configure Systemd Timesyncd Root Distance Servers - Add missing / update wrong
    records for root distance
  ansible.builtin.lineinfile:
    path: /etc/systemd/timesyncd.d/oscap-remedy.conf
    regexp: ^\s*RootDistanceMax\s*=
    state: present
    line: RootDistanceMax=1
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92514-9
  - PCI-DSS-Req-10.4.3
  - PCI-DSSv4-Req-10.6.2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_root_distance_configured

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then

config_file="/etc/systemd/timesyncd.d/oscap-remedy.conf"
IFS=" " mapfile -t current_cfg_arr < <(ls -1 /etc/systemd/timesyncd.d/* 2>/dev/null)
current_cfg_arr+=( "/etc/systemd/timesyncd.conf" )# Comment existing NTP RootDistanceMax settings
if [ ${#current_cfg_arr[@]} -ne 0 ]; then
    for current_cfg in "${current_cfg_arr[@]}"
    do
        sed -i 's/^RootDistanceMax/#&/g' "$current_cfg"
    done
fi
# Set RootDistance in drop-in configuration
echo "RootDistanceMax=1" >> "$config_file"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Systemd Timesyncd Root Distance Servers

Description

Rationale

Remediation - Ansible

Remediation - Shell Script