Enable the NTP Daemon
An XCCDF Rule
Description
As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAMEAt the
sh-4.4#prompt, run:
# chroot /hostRun the following command to determine the current status of the
chronyd
service:
$ sudo systemctl is-active chronydIf the service is running, it should return the following:
activeNote: The
chronyd
daemon is enabled by default.
As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAMEAt the
sh-4.4#prompt, run:
# chroot /hostRun the following command to determine the current status of the
ntpd
service:
$ sudo systemctl is-active ntpdIf the service is running, it should return the following:
activeNote: The
ntpd
daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd
daemon might
be preferred to be used rather than the chronyd
one. Refer to:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for guidance which NTP daemon to choose depending on the environment used.
Rationale
Enabling some of chronyd
or ntpd
services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
The chronyd
and ntpd
NTP daemons offer all of the
functionality of ntpdate
, which is now deprecated.
- ID
- xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
- Severity
- Medium
- References
- Updated