2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver

Information

NTP=

- A space-separated list of NTP server host names or IP addresses. During runtime this list is combined with any per-interface NTP servers acquired from systemd-networkd.service(8). systemd-timesyncd will contact all configured system or per-interface servers in turn, until one responds. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. This setting defaults to an empty list.

FallbackNTP=

- A space-separated list of NTP server host names or IP addresses to be used as the fallback NTP servers. Any per-interface NTP servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via NTP= above. This setting is hence only relevant if no other NTP server information is known. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. If this option is not given, a compiled-in list of NTP servers is used.

Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations

Solution

Edit /etc/systemd/timesyncd.conf and add the NTP= and/or FallbackNTP= lines to the [Time] section:

Example:

[Time]
NTP=time.nist.gov # Uses the generic name for NIST's time servers
-AND/OR-
FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov # Space separated list of NIST time servers

Note: Servers added to these line(s) should follow local site policy. NIST servers are for example.

Example script:

The following example script will add the example NIST time servers to /etc/systemd/timesyncd.conf

#!/usr/bin/env bash

{
l_ntp_ts="time.nist.gov"
l_ntp_fb="time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov"
l_conf_file="/etc/systemd/timesyncd.conf"
if ! grep -Ph '^h*NTP=H+' "$l_conf_file"; then
! grep -Pqs '^h*[Time]' "$l_conf_file" && echo "[Time]" >> "$l_conf_file"
echo "NTP=$l_ntp_ts" >> "$l_conf_file"
fi
if ! grep -Ph '^h*FallbackNTP=H+' "$l_conf_file"; then
! grep -Pqs '^h*[Time]' "$l_conf_file" && echo "[Time]" >> "$l_conf_file"
echo "FallbackNTP=$l_ntp_fb" >> "$l_conf_file"
fi
}

Run the following command to reload the systemd-timesyncd configuration:

# systemctl try-reload-or-restart systemd-timesyncd

-OR-

If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd :

# systemctl --now mask systemd-timesyncd

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: Unix

Control ID: 9ed6ad0218409976def6f731c8887e101dfa6588e1de5691c64fd9e81f943d53