2.1.1.1 Ensure a single time synchronization daemon is in use

Information

System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them.

Note:

- On virtual systems where host based time synchronization is available consult your virtualization software documentation and verify that host based synchronization is in use and follows local site policy. In this scenario, this section should be skipped
- Only one time synchronization method should be in use on the system. Configuring multiple time synchronization methods could lead to unexpected or unreliable results

Time synchronization is important to support time sensitive security mechanisms and ensures log files have consistent time records across the enterprise, which aids in forensic investigations.

Solution

On physical systems, and virtual systems where host based time synchronization is not available.

Select one of the three time synchronization daemons; chrony (1) systemd-timesyncd (2) or ntp (3) and following the remediation procedure for the selected daemon.

Note: enabling more than one synchronization daemon could lead to unexpected or unreliable results:

- chrony

Run the following command to install chrony :

# apt install chrony

Run the following commands to stop and mask the systemd-timesyncd daemon:

# systemctl stop systemd-timesyncd.service

# systemctl --now mask systemd-timesyncd.service

Run the following command to remove the ntp package:

# apt purge ntp

NOTE:

- Subsection:

Configure chrony

should be followed
- Subsections:

Configure systemd-timesyncd

and

Configure ntp

should be skipped

<xhtml:ol start="2"> - systemd-timesyncd

Run the following command to remove the chrony package:

# apt purge chrony

Run the following command to remove the ntp package:

# apt purge ntp

NOTE:

- Subsection:

Configure systemd-timesyncd

should be followed
- Subsections:

Configure chrony

and

Configure ntp

should be skipped

<xhtml:ol start="3"> - ntp

Run the following command to install ntp :

# apt install ntp

Run the following commands to stop and mask the systemd-timesyncd daemon:

# systemctl stop systemd-timesyncd.service

# systemctl --now mask systemd-timesyncd.service

Run the following command to remove the chrony package:

# apt purge chrony

NOTE:

- Subsection:

Configure ntp

should be followed
- Subsections:

Configure chrony

and

Configure systemd-timesyncd

should be skipped

See Also

https://workbench.cisecurity.org/benchmarks/13775

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: Unix

Control ID: 2fa04443feed97e65467aefefa4bdf03eada122de4108ecc47eb3f08c81686c0