2.1.2.1 Ensure chrony is configured with authorized timeserver

Information

-

server

- The server directive specifies an NTP server which can be used as a time source. The client-server relationship is strictly hierarchical: a client might synchronize its system time to that of the server, but the server's system time will never be influenced by that of a client.
- This directive can be used multiple times to specify multiple servers.
- The directive is immediately followed by either the name of the server, or its IP address.

-

pool

- The syntax of this directive is similar to that for the server directive, except that it is used to specify a pool of NTP servers rather than a single NTP server. The pool name is expected to resolve to multiple addresses which might change over time.
- This directive can be used multiple times to specify multiple pools.
- All options valid in the server directive can be used in this directive too.

Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations

Solution

Edit /etc/chrony/chrony.conf or a file ending insources in /etc/chrony/sources.d/ and add or edit server or pool lines as appropriate according to local site policy:

<[server|pool]> <[remote-server|remote-pool]>

Examples:

pool directive:

pool time.nist.gov iburst maxsources 4 #The maxsources option is unique to the pool directive

server directive:

server time-a-g.nist.gov iburst
server 132.163.97.3 iburst
server time-d-b.nist.gov iburst

Run one of the following commands to load the updated time sources into chronyd running config:

# systemctl restart chronyd

- OR if sources are in a .sources file -

# chronyc reload sources

OR

If another time synchronization service is in use on the system, run the following command to remove chrony from the system:

# apt purge chrony

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: Unix

Control ID: b8dc9a9b3e22aaedbdb66c0aa52389b377697f059bb49ef87cd63a30c32ad900