Disable network management of chrony daemon
An XCCDF Rule
Description
The cmdport
option in /etc/chrony.conf
can be set to
0
to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc.
Rationale
Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
- ID
- xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
- Severity
- Low
- Updated
Remediation - Ansible
- name: Disable network management of chrony daemon
block:
- name: Check for duplicate values
lineinfile:
path: /etc/chrony.conf
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport")