2.3.3.1 Ensure chrony is configured with authorized timeserver

Information

-

server

- The server directive specifies an NTP server which can be used as a time source. The client-server relationship is strictly hierarchical: a client might synchronize its system time to that of the server, but the server's system time will never be influenced by that of a client.
- This directive can be used multiple times to specify multiple servers.
- The directive is immediately followed by either the name of the server, or its IP address.

-

pool

- The syntax of this directive is similar to that for the server directive, except that it is used to specify a pool of NTP servers rather than a single NTP server. The pool name is expected to resolve to multiple addresses which might change over time.
- This directive can be used multiple times to specify multiple pools.
- All options valid in the server directive can be used in this directive too.

Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations

Solution

Edit /etc/chrony/chrony.conf or a file ending insources in /etc/chrony/sources.d/ and add or edit server or pool lines as appropriate according to local site policy:

Edit the Chrony configuration and add or edit the server and/or pool lines returned by the Audit Procedure as appropriate according to local site policy

<[server|pool]> <[remote-server|remote-pool]>

Example script to add a drop-in configuration for the pool directive:

#!/usr/bin/env bash

{
[ ! -d "/etc/chrony/sources.d/" ] &amp;&amp; mkdir /etc/chrony/sources.d/
printf '%s
' "" "#The maxsources option is unique to the pool directive"
"pool time.nist.gov iburst maxsources 4" >> /etc/chrony/sources.d/60-sources.sources
chronyc reload sources &amp;>/dev/null
}

Example script to add a drop-in configuration for the server directive:

#!/usr/bin/env bash

{
[ ! -d "/etc/chrony/sources.d/" ] &amp;&amp; mkdir /etc/chrony/sources.d/
printf '%s
' "" "server time-a-g.nist.gov iburst" "server 132.163.97.3 iburst"
"server time-d-b.nist.gov iburst" >> /etc/chrony/sources.d/60-sources.sources
chronyc reload sources &amp;>/dev/null
}

Run the following command to reload the chronyd config:

# systemctl reload-or-restart chronyd

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: Unix

Control ID: e343a14bcc22fe08bf0ed9dfa14fe9e774a077268a8779570e1ccca1501684af