2.1.1.3 Ensure chrony is configured - timesyncd masked

Information

chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at: http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.

Notes:

If ntp or systemd-timesyncd are used, chrony should be removed and this section skipped

This recommendation only applies if chrony is in use on the system

Only one time synchronization method should be in use on the system

Rationale:

If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Solution

Remove and/or disable additional time synchronization methods:
Run the following command to remove ntp:

# apt purge ntp

Run the following command to stop and mask systemd-timesyncd:

# systemctl --now mask systemd-timesyncd

Configure chrony:
Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate:

server <remote-server>

Add or edit the user line to /etc/chrony/chrony.conf:

user _chrony

See Also

https://workbench.cisecurity.org/files/2920

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-8, CSCv6|9.1, CSCv7|6.1

Plugin: Unix

Control ID: f4c3697d2f333917f3527cc7b02afd19a2307847064e0d961aaaf537379b5264