Skip to content

Disable network management of chrony daemon

An XCCDF Rule

Description

The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.

Rationale

Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.

ID
xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
Severity
Low
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport")

Remediation - Ansible

- name: Disable network management of chrony daemon
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/chrony.conf