2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
Audit#
IF systemd-timesyncd is in use on the system, run the following command:
Verify that NPT=
Example Output:
/etc/systemd/timesyncd.conf.d/50-timesyncd.conf:NTP=time.nist.gov
/etc/systemd/timesyncd.conf.d/50-timesyncd.conf:FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov
Remediation#
Edit or create a file in /etc/systemd/timesyncd.conf.d ending in .conf and add the NTP= and/or FallbackNTP= lines to the [Time] section:
Example:
[Time]
NTP=time.nist.gov # Uses the generic name for NIST's time servers
-AND/OR
FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov # Space separated list of NIST time servers
Note: Servers added to these line(s) should follow local site policy. NIST servers are for example. The timesyncd.conf.d directory may need to be created.
Example script: The following example script will create the systemd-timesyncd drop-in configuration snippet:
#!/usr/bin/env bash
ntp_ts="time.nist.gov"
ntp_fb="time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov"
disfile="/etc/systemd/timesyncd.conf.d/50-timesyncd.conf"
if ! find /etc/systemd -type f -name '*.conf' -exec grep -Ph '^\h*NTP=\H+' {} +; then
[ ! -d /etc/systemd/timesyncd.conf.d ] && mkdir /etc/systemd/timesyncd.conf.d
! grep -Pqs '^\h*\[Time\]' "$disfile" && echo "[Time]" >> "$disfile"
echo "NTP=$ntp_ts" >> "$disfile"
fi
if ! find /etc/systemd -type f -name '*.conf' -exec grep -Ph '^\h*FallbackNTP=\H+' {} +; then
[ ! -d /etc/systemd/timesyncd.conf.d ] && mkdir /etc/systemd/timesyncd.conf.d
! grep -Pqs '^\h*\[Time\]' "$disfile" && echo "[Time]" >> "$disfile"
echo "FallbackNTP=$ntp_fb" >> "$disfile"
fi
Run the following command to reload the systemd-timesyncd configuration:
OR
If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd:
Default Value: