Synchronize internal information system clocks

An XCCDF Rule

Description

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.

ID: xccdf_org.ssgproject.content_rule_chronyd_sync_clock
Severity: Medium
References: CCI-002046 CCI-004926

SRG-OS-000356-GPOS-00144

UBTU-22-252015

SV-260520r986274_rule
Updated: over 1 year ago

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

if [ -e "/etc/chrony/chrony.conf" ] ; then
        LC_ALL=C sed -i "/^\s*makestep /Id" "/etc/chrony/chrony.conf"
else
    touch "/etc/chrony/chrony.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/chrony/chrony.conf"

cp "/etc/chrony/chrony.conf" "/etc/chrony/chrony.conf.bak"
# Insert at the end of the file
printf '%s\n' "makestep 1 1" >> "/etc/chrony/chrony.conf"
# Clean up after ourselves.
rm "/etc/chrony/chrony.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-252015
  - chronyd_sync_clock  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Synchronize internal information system clocks
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/chrony/chrony.conf
      create: true
      regexp: '(?i)^\s*makestep '
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/chrony/chrony.conf
    lineinfile:
      path: /etc/chrony/chrony.conf
      create: true
      regexp: '(?i)^\s*makestep '
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/chrony/chrony.conf
    lineinfile:
      path: /etc/chrony/chrony.conf
      create: true
      regexp: '(?i)^\s*makestep '
      line: makestep 1 1
      state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-252015
  - chronyd_sync_clock
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Synchronize internal information system clocks

Description

Rationale

Remediation - Shell Script

Remediation - Ansible