Puppet Class: cis_security_hardening::rules::chrony

Defined in:

manifests/rules/chrony.pp

Summary

Ensure chrony is configured

Overview

chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.

Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system.

Examples:

class ecurity_baseline::rules::common::sec_ntp_daemon_chrony {
    enforce => true,
    ntp_servers => ['server1', 'server2'],
  }
}

Parameters:

• enforce (Boolean) (defaults to: false) —

  Enforce the rule

• ntp_servers (Hash) (defaults to: {}) —

  NTP servers to use, add config options per server

• makestep_seconds (Integer) (defaults to: 1) —

  Threshold for adjusting system clock.

• makestep_updates (Integer) (defaults to: 3) —

  Limit of clock updates since chronyd start.

# File 'manifests/rules/chrony.pp', line 33

class cis_security_hardening::rules::chrony (
  Boolean $enforce   = false,
  Hash $ntp_servers = {},
  Integer $makestep_seconds = 1,
  Integer $makestep_updates = 3,
) {
  if $enforce {
    class { 'chrony':
      servers          => $ntp_servers,
      makestep_seconds => $makestep_seconds,
      makestep_updates => $makestep_updates,
    }

    case $facts['os']['name'].downcase() {
      'ubuntu': {
        ensure_packages(['ntp'], {
            ensure => purged,
        })
      }
      'rocky', 'almalinux','centos','redhat': {
        file { '/etc/sysconfig/chronyd':
          ensure  => file,
          owner   => 'root',
          group   => 'root',
          mode    => '0644',
          content => 'OPTIONS="-u chrony"',
        }
      }
      default: {
        # nothing to do
      }
    }
  }
}