OpenShift must use internal system clocks to generate audit record time stamps.

An XCCDF Rule

Description

Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock.

ID: SV-257525r960927_rule
Version: CNTR-OS-000230
Severity: Medium
References: CCI-000159
Updated: about 2 months ago

Remediation Templates

Apply the machine config to use internal system clocks for audit records by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:  name: 80-chronyd-service-enable-$mcpool
  labels:
    machineconfiguration.openshift.io/role: $mcpool
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: chronyd.service
        enabled: true
" | oc apply -f -
done

OpenShift must use internal system clocks to generate audit record time stamps.

Description

Remediation Templates

A Manual Procedure