3.6 Configure Network Time Protocol (NTP) - restrict -6 default kod nomodify nopeer notrap noquery

Information

The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. The version of NTP delivered with Red Hat can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server.

Rationale:

It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.

Solution

Add the following lines to /etc/ntp.conf:

# Script to fix /etc/ntp.conf
cp /etc/ntp.conf /tmp/ntp.conf.$$
egrep -v '(restrict default|restrict -6 default)' /tmp/ntp.conf.$$ > /etc/ntp.conf
ed /etc/ntp.conf << END
0a
restrict default kod nomodify nopeer notrap noquery
restrict -6 default kod nomodify nopeer notrap noquery
.
w
q
END

Ensure /etc/ntp.conf has an NTP server specified:

server <ntp-server>

Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark.

Default Value:

OS Default: N/A

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-8, CSCv6|3.1, CSCv7|6.1

Plugin: Unix

Control ID: 30b2af5b46ea9379b90c6ba3ca2c50c67a0006cbab6e0d588dc6af33349b465c