Skip to content

2.3.1.1 Ensure a single time synchronization daemon is in use

Audit#

On physical systems, and virtual systems where host based time synchronization is not available. One of the three time synchronization daemons should be available; chrony or systemd-timesyncd

Run the following script to verify that a single time synchronization daemon is available on the system: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env bash
{
l_output="" l_output2=""
service_not_enabled_chk()
{
l_out2=""
if systemctl is-enabled "$l_service_name" 2>/dev/null | grep -q 'enabled'; then
l_out2="$l_out2\n - Daemon: \"$l_service_name\" is enabled on the system"
fi
if systemctl is-active "$l_service_name" 2>/dev/null | grep -q '^active'; then
l_out2="$l_out2\n - Daemon: \"$l_service_name\" is active on the system"
fi
}
l_service_name="systemd-timesyncd.service" # Check systemd-timesyncd daemon
service_not_enabled_chk
if [ -n "$l_out2" ]; then
l_timesyncd="y"
l_out_tsd="$l_out2"
else
l_timesyncd="n"
l_out_tsd="\n - Daemon: \"$l_service_name\" is not enabled and not active on the system"
fi
l_service_name="chrony.service" # Check chrony
service_not_enabled_chk
if [ -n "$l_out2" ]; then
l_chrony="y"
l_out_chrony="$l_out2"
else
l_chrony="n"
l_out_chrony="\n - Daemon: \"$l_service_name\" is not enabled and not active on the system"
fi
l_status="$l_timesyncd$l_chrony"
case "$l_status" in
yy)
l_output2=" - More than one time sync daemon is in use on the system$l_out_tsd$l_out_chrony"
;;
nn)
l_output2=" - No time sync daemon is in use on the system$l_out_tsd$l_out_chrony"
;;
yn|ny)
l_output=" - Only one time sync daemon is in use on the system$l_out_tsd$l_out_chrony"
;;
*)
l_output2=" - Unable to determine time sync daemon(s) status"
;;
esac
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n
else
echo -e "\n- Audit Result:\n
:\n$l_output2\n"
fi
}

NOTE: Follow the guidance in the subsection for the time synchronization daemon available on the system and skip the other time synchronization daemon subsection.

Remediation#

On physical systems, and virtual systems where host based time synchronization is not available.

Select one of two three time synchronization daemons; chrony (1), systemd-timesyncd (2) and following the remediation procedure for the selected daemon.

Note: enabling more than one synchronization daemon could lead to unexpected or unreliable results:

  1. chrony

Run the following command to install chrony: 

# apt install chrony

Run the following commands to stop and mask the systemd-timesyncd daemon: 

# systemctl stop systemd-timesyncd.service
# systemctl mask systemd-timesyncd.service

NOTE: - Subsection: Configure chrony should be followed - Subsection: Configure systemd-timesyncd should be skipped

  1. systemd-timesyncd

Run the following command to remove the chrony package: 

# apt purge chrony
# apt autoremove chrony

NOTE: - Subsection: Configure systemd-timesyncd should be followed - Subsection: Configure chrony should be skipped