Enable the NTP Daemon

An XCCDF Rule

Description

The ntp service can be enabled with the following command:

$ sudo systemctl enable ntp.service

Rationale

Enabling the ntp service ensures that the ntp service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated.

ID: xccdf_org.ssgproject.content_rule_service_ntp_enabled
Severity: High
References: NT012(R03)

1 14 15 16 3 5 6

APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01

CCI-000160

4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1

AU-8(1)(a) CM-6(a)

PR.PT-1

Req-10.4

10.6.1
Updated: about 1 year ago


[customizations.services]
enabled = ["ntp"]

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-CM-6(a)  - PCI-DSS-Req-10.4
  - PCI-DSSv4-10.6.1
  - enable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_ntp_enabled

- name: Enable service ntp
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable service ntp
    systemd:
      name: ntp
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"ntp" in ansible_facts.packages'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"ntp" in ansible_facts.packages'
  tags:
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4
  - PCI-DSSv4-10.6.1
  - enable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_ntp_enabled

include enable_ntp

class enable_ntp {
  service {'ntp':
    enable => true,
    ensure => 'running',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'ntp.service'
"$SYSTEMCTL_EXEC" start 'ntp.service'"$SYSTEMCTL_EXEC" enable 'ntp.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable the NTP Daemon

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet

Remediation - Shell Script