Configure Time Service Maxpoll Interval

An XCCDF Rule

Description

The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following after each `server`, `pool` or `peer` entry:

maxpoll

server

directives. If using chrony any

pool

directives should be configured too. If no server or pool directives are configured, the rule evaluates to pass.

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

ID: xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
Severity: Medium
References: 1 14 15 16 3 5 6

APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01

CCI-001891 CCI-002046

4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1

AU-12(1) AU-8(1)(b) CM-6(a)

PR.PT-1

SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 SRG-OS-000359-GPOS-00146

SV-204603r877038_rule
Updated: over 1 year ago

Remediation Templates

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then
var_time_service_set_maxpoll='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"/>'



pof="/usr/sbin/pidof"


CONFIG_FILES="/etc/ntp.conf"
$pof ntpd || {
    CHRONY_NAME=/etc/chrony.conf
    CHRONY_PATH=${CHRONY_NAME%%.*}
    CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf')
}

# get list of ntp files

for config_file in $CONFIG_FILES; do
    # Set maxpoll values to var_time_service_set_maxpoll
    sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
done




for config_file in $CONFIG_FILES; do
    # Add maxpoll to server, pool or peer entries without maxpoll
    grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
        sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
    done
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_time_service_set_maxpoll # promote to variable
  set_fact:
    var_time_service_set_maxpoll: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"/>
  tags:
    - always
- name: Configure Time Service Maxpoll Interval - Check That /etc/ntp.conf Exist
  ansible.builtin.stat:
    path: /etc/ntp.conf
  register: ntp_conf_exist_result
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Update the Maxpoll Values in /etc/ntp.conf
  ansible.builtin.replace:
    path: /etc/ntp.conf
    regexp: ^(server.*maxpoll)[ ]+[0-9]+(.*)$
    replace: \1 {{ var_time_service_set_maxpoll }}\2
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  - ntp_conf_exist_result.stat.exists
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Set the Maxpoll Values in /etc/ntp.conf
  ansible.builtin.replace:
    path: /etc/ntp.conf
    regexp: (^server\s+((?!maxpoll).)*)$
    replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  - ntp_conf_exist_result.stat.exists
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Check That /etc/chrony.conf Exist
  ansible.builtin.stat:
    path: /etc/chrony.conf
  register: chrony_conf_exist_result
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Set Chrony Path Facts
  ansible.builtin.set_fact:
    chrony_path: /etc/chrony.conf
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Get Conf Files from {{ chrony_path
    | dirname }}
  ansible.builtin.find:
    path: '{{ chrony_path | dirname }}'
    patterns: '*.conf'
    file_type: file
  register: chrony_conf_files
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Update the Maxpoll Values in /etc/chrony.conf
  ansible.builtin.replace:
    path: '{{ item.path }}'
    regexp: ^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$
    replace: \1 {{ var_time_service_set_maxpoll }}\2
  loop: '{{ chrony_conf_files.files }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  - chrony_conf_files.matched
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Time Service Maxpoll Interval - Set the Maxpoll Values in /etc/chrony.conf
  ansible.builtin.replace:
    path: '{{ item.path }}'
    regexp: (^(?:server|pool|peer)\s+((?!maxpoll).)*)$
    replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
  loop: '{{ chrony_conf_files.files }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
  - chrony_conf_files.matched
  tags:
  - DISA-STIG-RHEL-07-040500
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(b)
  - NIST-800-53-CM-6(a)
  - chronyd_or_ntpd_set_maxpoll
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure Time Service Maxpoll Interval

Description

Rationale

Remediation Templates

A Kubernetes Patch

A Shell Script

An Ansible Snippet