Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>Multiple servers may be configured.
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
Depending on specific functional requirements of a concrete
production environment, the Amazon Linux 2023 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
server ntpserverThis instructs the NTP software to contact that remote server to obtain time data.
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, add or edit the OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony:
OPTIONS="-u chrony"This recommendation only applies if chrony is in use on the system.
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
Check that Chrony only has time sources configured with the server directive.
Depending on the infrastructure being used the pool directive may not be supported. Using the server directive allows for better control of where the system gets time data from.
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>Multiple servers may be configured.
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
To properly set the group owner of /etc/chrony.keys
, run the command:
$ sudo chgrp chrony /etc/chrony.keys
The ownership of the /etc/chrony.keys file by the chrony group is important because this file hosts chrony cryptographic keys. Protection of this file is critical for system security. Assigning the ownership to chrony ensures exclusive control of the chrony cryptography keys.
To properly set the owner of /etc/chrony.keys
, run the command:
$ sudo chown root /etc/chrony.keys
The ownership of the /etc/chrony.keys file by the chrony user is important because this file hosts chrony cryptographic keys. Protection of this file is critical for system security. Assigning the ownership to chrony ensures exclusive control of the chrony cryptographic keys.
To properly set the permissions of /etc/chrony.keys
, run the command:
$ sudo chmod 0640 /etc/chrony.keys
Setting correct permissions on the /etc/chrony.keys file is important because this file hosts chrony cryptographic keys. Protection of this file is critical for system security. Assigning the correct mode ensures exclusive control of the chrony cryptographic keys.
System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The chrony
package can be installed with the following command:
$ sudo dnf install chrony
Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To enable Chronyd service, you can run: # systemctl enable chronyd.service This recommendation only applies if chrony is in use on the system.
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
The system should be configured to use time servers that support Network Time Security (NTS). The specified time server must support NTS and must be configured to use NTS. To configure NTS for given time server add nts to each server or pool line in /etc/chrony.conf.
Network Time Security (NTS) uses Transport Layer Security (TLS) to secure Network Time Protocol (NTP) communications. Not using NTS could allow an attacker to interpret and modify the data sent back from the time server Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
Depending on specific functional requirements of a concrete
production environment, the Amazon Linux 2023 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so,
perform the following:
server ntpserver
Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.