Enable the NTP Daemon

An XCCDF Rule

Description

The ntp service can be enabled with the following command:

$ sudo systemctl enable ntp.service

warning alert: Warning

The

ntp

package is not available in Red Hat Enterprise Linux 8. Please consider the

chrony

package instead together with the respective

service_chronyd_enabled

rule.

Rationale

Enabling the ntp service ensures that the ntp service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated.

ID: xccdf_org.ssgproject.content_rule_service_ntp_enabled
Severity: High
References: 1 14 15 16 3 5 6

APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01

CCI-000160

4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1

AU-8(1)(a) CM-6(a)

PR.PT-1

Req-10.4

10.6 10.6.1
Updated: about 1 month ago

Remediation Templates

include enable_ntp
class enable_ntp {
  service {'ntp':
    enable => true,
    ensure => 'running',
  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-CM-6(a)  - PCI-DSS-Req-10.4
  - PCI-DSSv4-10.6
  - PCI-DSSv4-10.6.1
  - enable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_ntp_enabled
- name: Enable the NTP Daemon - Enable service ntp
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable the NTP Daemon - Enable Service ntp
    ansible.builtin.systemd:
      name: ntp
      enabled: true
      state: started
      masked: false
    when:
    - '"ntp" in ansible_facts.packages'
  when:
  - '"kernel" in ansible_facts.packages'
  - '"ntp" in ansible_facts.packages'
  tags:
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4
  - PCI-DSSv4-10.6
  - PCI-DSSv4-10.6.1
  - enable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_ntp_enabled

service enable ntp

[customizations.services]
enabled = ["ntp"]

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q ntp; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'ntp.service'
"$SYSTEMCTL_EXEC" start 'ntp.service'
"$SYSTEMCTL_EXEC" enable 'ntp.service'
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable the NTP Daemon

Description

Rationale

Remediation Templates

A Puppet Snippet

An Ansible Snippet

script:kickstart

OS Build Blueprint

A Shell Script