2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver - FallbackNTP

Information

NTP=

A space-separated list of NTP server host names or IP addresses. During runtime this list is combined with any per-interface NTP servers acquired from systemd-networkd.service(8). systemd-timesyncd will contact all configured system or per-interface servers in turn, until one responds. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. This setting defaults to an empty list.

FallbackNTP=

A space-separated list of NTP server host names or IP addresses to be used as the fallback NTP servers. Any per-interface NTP servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via NTP= above. This setting is hence only relevant if no other NTP server information is known. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. If this option is not given, a compiled-in list of NTP servers is used.

Rationale:

Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations

Solution

Edit or create a file in /etc/systemd/timesyncd.conf.d ending in .conf and add the NTP= and/or FallbackNTP= lines to the [Time] section:
Example:

[Time]
NTP=time.nist.gov # Uses the generic name for NIST's time servers
-AND/OR-
FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov # Space separated list of NIST time servers

Note: Servers added to these line(s) should follow local site policy. NIST servers are for example. The timesyncd.conf.d directory may need to be created
Example script: The following example script will create the systemd-timesyncd drop-in configuration snippet:

#!/usr/bin/env bash

ntp_ts='time.nist.gov'
ntp_fb='time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov'
disfile='/etc/systemd/timesyncd.conf.d/50-timesyncd.conf'
if ! find /etc/systemd -type f -name '*.conf' -exec grep -Ph '^h*NTP=H+' {} +; then
[ ! -d /etc/systemd/timesyncd.conf.d ] && mkdir /etc/systemd/timesyncd.conf.d
! grep -Pqs '^h*[Time]' '$disfile' && echo '[Time]' >> '$disfile'
echo 'NTP=$ntp_ts' >> '$disfile'
fi
if ! find /etc/systemd -type f -name '*.conf' -exec grep -Ph '^h*FallbackNTP=H+' {} +; then
[ ! -d /etc/systemd/timesyncd.conf.d ] && mkdir /etc/systemd/timesyncd.conf.d
! grep -Pqs '^h*[Time]' '$disfile' && echo '[Time]' >> '$disfile'
echo 'FallbackNTP=$ntp_fb' >> '$disfile'
fi

Run the following command to reload the systemd-timesyncd configuration:

# systemctl try-reload-or-restart systemd-timesyncd

OR
If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd:

# systemctl --now mask systemd-timesyncd

Default Value:

#NTP=

#FallbackNTP=

Item Details

Audit Name: CIS Debian Linux 11 Server L1 v1.0.0

References: CSCv7|6.1

Plugin: Unix

Control ID: b926a05af1e3d9c466ae919b7b08ef14d70e327cfef20c31eb65b02ef343bd49

Detections

Analytics

2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver - FallbackNTP

Information

Solution

See Also

Item Details