Skip to content

Enable the NTP Daemon

An XCCDF Rule

Description

As a user with administrator privileges, log into a node in the relevant pool:

$ oc debug node/$NODE_NAME
At the
sh-4.4#
prompt, run:
# chroot /host
Run the following command to determine the current status of the chronyd service:
$ sudo systemctl is-active chronyd
If the service is running, it should return the following:
active
Note: The chronyd daemon is enabled by default.

As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAME
At the
sh-4.4#
prompt, run:
# chroot /host
Run the following command to determine the current status of the ntpd service:
$ sudo systemctl is-active ntpd
If the service is running, it should return the following:
active
Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for guidance which NTP daemon to choose depending on the environment used.

Rationale

Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.

ID
xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
Severity
Medium
References
Updated