Skip to content

2.1.2.1 Ensure chrony is configured with authorized timeserver

Audit#

IF chrony is in use on the system, run the following command to display the server and/or pool directive: 

# grep -Pr --include=*.{sources,conf} '^\h*(server|pool)\h+\H+' /etc/chrony/

Verify that at least one pool line and/or at least three server lines are returned, and the timeserver on the returned lines follows local site policy.

Output examples:

pool directive: 

pool time.nist.gov iburst maxsources 4 #The maxsources option is unique to the pool directive

server directive: 

server time-a-g.nist.gov iburst
server 132.163.97.3 iburst
server time-d-b.nist.gov iburst

Remediation#

Edit /etc/chrony/chrony.conf or a file ending in .sources in /etc/chrony/sources.d/ and add or edit server or pool lines as appropriate according to local site policy: 

<[server|pool]> <[remote-server|remote-pool]>

Examples:

pool directive: 

pool time.nist.gov iburst maxsources 4 #The maxsources option is unique to the pool directive

server directive: 

server time-a-g.nist.gov iburst
server 132.163.97.3 iburst
server time-d-b.nist.gov iburst

Run one of the following commands to load the updated time sources into chronyd running config: 

# systemctl restart chronyd

OR if sources are in a .sources file

# chronyc reload sources

OR

If another time synchronization service is in use on the system, run the following command to remove chrony from the system: 

# apt purge chrony