Rules Related To 'ntp'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Disable chrony daemon from acting as server

chronyd_client_only

Description

The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.

Rationale

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Chrony Configure Pool and Server

chronyd_configure_pool_and_server

Description

Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate:

server <remote-server>
Multiple servers may be configured.

Rationale

If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Disable network management of chrony daemon

chronyd_no_chronyc_network

Description

The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.

Rationale

Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.

Configure Time Service Maxpoll Interval

chronyd_or_ntpd_set_maxpoll

Description

The maxpoll should be configured to $var_time_service_set_maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) add the following after each server, pool or peer entry:

maxpoll $var_time_service_set_maxpoll
to server directives. If using chrony, any pool directives should be configured too.

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Specify Additional Remote NTP Servers

chronyd_or_ntpd_specify_multiple_servers

Description

Depending on specific functional requirements of a concrete production environment, the Amazon Linux 2023 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:

Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:
server ntpserver

Rationale

Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

Specify a Remote NTP Server

chronyd_or_ntpd_specify_remote_server

Description

Depending on specific functional requirements of a concrete production environment, the Amazon Linux 2023 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:

Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.

Rationale

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Ensure that chronyd is running under chrony user account

chronyd_run_as_chrony_user

Description

chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, add or edit the OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony:

OPTIONS="-u chrony"
This recommendation only applies if chrony is in use on the system.

Rationale

If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Configure Time Service to use NTS

chrony_set_nts

Description

The system should be configured to use time servers that support Network Time Security (NTS). The specified time server must support NTS and must be configured to use NTS. To configure NTS for given time server add nts to each server or pool line in /etc/chrony.conf.

Rationale

Network Time Security (NTS) uses Transport Layer Security (TLS) to secure Network Time Protocol (NTP) communications. Not using NTS could allow an attacker to interpret and modify the data sent back from the time server Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Ensure Chrony is only configured with the server directive

chronyd_server_directive

Description

Check that Chrony only has time sources configured with the server directive.

Rationale

Depending on the infrastructure being used the pool directive may not be supported. Using the server directive allows for better control of where the system gets time data from.

A remote time server for Chrony is configured

chronyd_specify_remote_server

Description

Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate:

server <remote-server>
Multiple servers may be configured.

Rationale

If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Synchronize internal information system clocks

chronyd_sync_clock

Description

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.

Verify Group Who Owns /etc/chrony.keys File

file_groupowner_etc_chrony_keys

Description

To properly set the group owner of /etc/chrony.keys, run the command:

$ sudo chgrp chrony /etc/chrony.keys

Rationale

The ownership of the /etc/chrony.keys file by the chrony group is important because this file hosts chrony cryptographic keys. Protection of this file is critical for system security. Assigning the ownership to chrony ensures exclusive control of the chrony cryptography keys.

Verify User Who Owns /etc/chrony.keys File

file_owner_etc_chrony_keys

Description

To properly set the owner of /etc/chrony.keys, run the command:

$ sudo chown root /etc/chrony.keys 

Rationale

The ownership of the /etc/chrony.keys file by the chrony user is important because this file hosts chrony cryptographic keys. Protection of this file is critical for system security. Assigning the ownership to chrony ensures exclusive control of the chrony cryptographic keys.

Verify Permissions On /etc/chrony.keys File

file_permissions_etc_chrony_keys

Description

To properly set the permissions of /etc/chrony.keys, run the command:

$ sudo chmod 0640 /etc/chrony.keys

Rationale

Setting correct permissions on the /etc/chrony.keys file is important because this file hosts chrony cryptographic keys. Protection of this file is critical for system security. Assigning the correct mode ensures exclusive control of the chrony cryptographic keys.

Configure server restrictions for ntpd

ntpd_configure_restrictions

Description

ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. To ensure that ntpd implements correct server restrictions, make sure that the following lines exist in the file /etc/ntpd.conf:

restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
This recommendation only applies if ntp is in use on the system.

Rationale

If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Configure ntpd To Run As ntp User

ntpd_run_as_ntp_user

Description

ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. To ensure that ntpd is running as ntp user, Add or edit the OPTIONS variable in /etc/sysconfig/ntpd to include ' -u ntp:ntp ':

OPTIONS="-u ntp:ntp"
This recommendation only applies if ntp is in use on the system.

Rationale

If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly. Running ntpd under dedicated user accounts limits the attack surface for potential attacker exploiting security flaws in the daemon or the protocol.

Specify Additional Remote NTP Servers

ntpd_specify_multiple_servers

Description

Additional NTP servers can be specified for time synchronization in the file /etc/ntp.conf. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:

server ntpserver

Rationale

Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

Specify a Remote NTP Server

ntpd_specify_remote_server

Description

To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:

server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.

Rationale

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

The Chrony package is installed

package_chrony_installed

Description

System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The chrony package can be installed with the following command:

$ sudo dnf install chrony

Rationale

Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.

Install the ntp service

package_ntp_installed

Description

The ntpd service should be installed.

Rationale

Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.

Remove the ntp service

package_ntp_removed

Description

The ntpd service should not be installed.

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Install the systemd_timesyncd Service

package_timesyncd_installed

Description

The systemd_timesyncd service should be installed.

Rationale

Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). systemd_timesyncd is a part of the systemd suite and acts as a NTP client.

Remove the systemd_timesyncd Service

package_timesyncd_removed

Description

The systemd_timesyncd service should not be installed.

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

The Chronyd service is enabled

service_chronyd_enabled

Description

chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To enable Chronyd service, you can run: # systemctl enable chronyd.service This recommendation only applies if chrony is in use on the system.

Rationale

If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Enable the NTP Daemon

service_chronyd_or_ntpd_enabled

Description

Run the following command to determine the current status of the chronyd service:

$ sudo systemctl is-active chronyd
If the service is running, it should return the following:
active
Note: The chronyd daemon is enabled by default.

Run the following command to determine the current status of the ntpd service:
$ sudo systemctl is-active ntpd
If the service is running, it should return the following:
active
Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for guidance which NTP daemon to choose depending on the environment used.

Rationale

Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.

Enable the NTP Daemon

service_ntp_enabled

Description

The ntp service can be enabled with the following command:

$ sudo systemctl enable ntp.service

Rationale

Enabling the ntp service ensures that the ntp service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated.

Enable the NTP Daemon

service_ntpd_enabled

Description

The ntpd service can be enabled with the following command:

$ sudo systemctl enable ntpd.service

Rationale

Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated.

Enable systemd_timesyncd Service

service_timesyncd_enabled

Description

The systemd_timesyncd service can be enabled with the following command:

$ sudo systemctl enable systemd_timesyncd.service

Rationale

Enabling the systemd_timesyncd service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en.

Configure Systemd Timesyncd Servers

service_timesyncd_configured

Description

systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. The systemd-timesyncd daemon implements: - Implements an SNTP client - Runs with minimal privileges - Saves the current clock to disk every time a new NTP sync has been acquired - Is hooked up with networkd to only operate when network connectivity is available Add or edit server or pool lines to /etc/systemd/timesyncd.conf as appropriate:

server <remote-server>
Multiple servers may be configured.

Rationale

Configuring systemd-timesyncd ensures time synchronization is working properly.

Configure Systemd Timesyncd Root Distance Servers

service_timesyncd_root_distance_configured

Description

systemd-timesyncd server configuration should have RootDistanceMaxSec is listed in accordance with local policy. This setting describes the maximum estimated time required for a packet to travel to the server connected.

Rationale

Configuring systemd-timesyncd RootDistanceMaxSec ensures time synchronization is using servers that are close enough to the client.