Enable the NTP Daemon
An XCCDF Rule
Description
Run the following command to determine the current status of the
chronyd
service:
$ sudo systemctl is-active chronydIf the service is running, it should return the following:
activeNote: The
chronyd
daemon is enabled by default.
Run the following command to determine the current status of the
ntpd
service:
$ sudo systemctl is-active ntpdIf the service is running, it should return the following:
activeNote: The
ntpd
daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd
daemon might
be preferred to be used rather than the chronyd
one. Refer to:
https://docs.oracle.com/en/operating-systems/oracle-linux/7/network/ol7-nettime.html
for guidance which NTP daemon to choose depending on the environment used.
Rationale
Enabling some of chronyd
or ntpd
services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
The chronyd
and ntpd
NTP daemons offer all of the
functionality of ntpdate
, which is now deprecated.
- ID
- xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if rpm --quiet -q "chrony" ; then
if ! /usr/sbin/pidof ntpd ; then
/usr/bin/systemctl enable "chronyd"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.3.7
- NIST-800-53-AU-12(1)