Configure Time Service to use NTS

An XCCDF Rule

Description

The system should be configured to use time servers that support Network Time Security (NTS). The specified time server must support NTS and must be configured to use NTS. To configure NTS for given time server add nts to each server or pool line in /etc/chrony.conf.

Rationale

Network Time Security (NTS) uses Transport Layer Security (TLS) to secure Network Time Protocol (NTP) communications. Not using NTS could allow an attacker to interpret and modify the data sent back from the time server Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

ID: xccdf_org.ssgproject.content_rule_chrony_set_nts
Severity: Medium
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - chrony_set_nts
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: Configure Time Service to use NTS - Check That /etc/ntp.conf Exist
  ansible.builtin.stat:
    path: /etc/ntp.conf
  register: ntp_conf_exist_result
  when:
  - '"kernel" in ansible_facts.packages'
  - '"chrony" in ansible_facts.packages'
  tags:
  - chrony_set_nts
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service to use NTS - Set the nts Values in /etc/ntp.conf
  ansible.builtin.replace:
    path: /etc/ntp.conf
    regexp: (^server\s+((?!nts).)*)$
    replace: \1 nts\n
  when:
  - '"kernel" in ansible_facts.packages'
  - '"chrony" in ansible_facts.packages'
  - ntp_conf_exist_result.stat.exists
  tags:
  - chrony_set_nts
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service to use NTS - Check That /etc/chrony.conf Exist
  ansible.builtin.stat:
    path: /etc/chrony.conf
  register: chrony_conf_exist_result
  when:
  - '"kernel" in ansible_facts.packages'
  - '"chrony" in ansible_facts.packages'
  tags:
  - chrony_set_nts
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service to use NTS - Set the nts Values in /etc/chrony.conf
  ansible.builtin.replace:
    path: /etc/chrony.conf
    regexp: (^(?:server|pool|peer)\s+((?!nts).)*)$
    replace: \1 nts\n
  when:
  - '"kernel" in ansible_facts.packages'
  - '"chrony" in ansible_facts.packages'
  - chrony_conf_exist_result.stat.exists
  tags:
  - chrony_set_nts
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service to use NTS - Get Conf Files from /etc/chrony.d/
  ansible.builtin.find:
    path: /etc/chrony.d/
    patterns: '*.conf'
    file_type: file
  register: chrony_d_conf_files
  when:
  - '"kernel" in ansible_facts.packages'
  - '"chrony" in ansible_facts.packages'
  tags:
  - chrony_set_nts
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service to use NTS - Set the maxpoll Values in /etc/chrony.d/
  ansible.builtin.replace:
    path: '{{ item.path }}'
    regexp: (^(?:server|pool|peer)\s+((?!maxpoll).)*)$
    replace: \1 nts\n
  loop: '{{ chrony_d_conf_files.files }}'
  when:
  - '"kernel" in ansible_facts.packages'
  - '"chrony" in ansible_facts.packages'
  - chrony_d_conf_files.matched
  tags:
  - chrony_set_nts
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q chrony; }; then
pof="/usr/sbin/pidof"


CONFIG_FILES="/etc/ntp.conf"$pof ntpd || {
    CHRONY_D_PATH=/etc/chrony.d/
    mapfile -t CONFIG_FILES < <(find ${CHRONY_D_PATH}.* -type f -name '*.conf')
    CONFIG_FILES+=(/etc/chrony.conf)
}

# get list of ntp files

for config_file in "${CONFIG_FILES[@]}" ; do
    # Add maxpoll to server, pool or peer entries without maxpoll
    grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
        sed -i "s/$line/& nts/" "$config_file"
    done
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Time Service to use NTS

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script