Specify Additional Remote NTP Servers

An XCCDF Rule

Description

Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:

if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.

Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:

server ntpserver

Rationale

Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

ID: xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers
Severity: Medium
References: 1 14 15 16 3 5 6

APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01

4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9

0988 1405

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1

AU-12(1) AU-8(1)(a) AU-8(2) CM-6(a)

PR.PT-1

Req-10.4.3
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
      - contents:
          source: data:,
        mode: 420
        overwrite: true
        path: /etc/chrony.d/.mco-keep
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
        mode: 420
        overwrite: true
        path: /etc/chrony.d/ntp-server.conf

- name: XCCDF Value var_multiple_time_servers # promote to variable
  set_fact:
    var_multiple_time_servers: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" use="legacy"/>
  tags:
    - always
- name: Detect if chrony configuration file is present
  find:
    path: /etc
    patterns: chrony.conf
  register: chrony_server_config
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-AU-8(2)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.3
  - chronyd_or_ntpd_specify_multiple_servers
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure multiple time servers in chrony config
  lineinfile:
    path: /etc/chrony.conf
    line: server {{ item }}
    state: present
    create: true
  loop: '{{ var_multiple_time_servers.split(",") }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - chrony_server_config.matched == 1
  tags:
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-AU-8(2)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.3
  - chronyd_or_ntpd_specify_multiple_servers
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Detect if NTP configuration file is present
  find:
    path: /etc
    patterns: ntp.conf
  register: ntp_server_config
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-AU-8(2)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.3
  - chronyd_or_ntpd_specify_multiple_servers
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure multiple time servers in NTP config
  lineinfile:
    path: /etc/chrony.conf
    line: pool {{ item }}
    state: present
    create: true
  loop: '{{ var_multiple_time_servers.split(",") }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ntp_server_config.matched == 1
  tags:
  - NIST-800-53-AU-12(1)
  - NIST-800-53-AU-8(1)(a)
  - NIST-800-53-AU-8(2)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.3
  - chronyd_or_ntpd_specify_multiple_servers
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_multiple_time_servers='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" use="legacy"/>'

config_file="/etc/ntp.conf"
/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"

if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then
  if ! grep -q '#[[:space:]]*server' "$config_file" ; then
    for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do
      printf '\nserver %s' "$server" >> "$config_file"
    done
  else
    sed -i 's/#[ \t]*server/server/g' "$config_file"
  fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Specify Additional Remote NTP Servers

Description

Rationale

Remediation - Kubernetes Patch

Remediation - Ansible

Remediation - Shell Script