Puppet Class: cis_security_hardening::rules::chrony

Defined in:
manifests/rules/chrony.pp

Summary

Ensure chrony is configured

Overview

chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.

Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system.

Examples:

class cis_security_hardening::rules::chrony {
    enforce => true,
    ntp_servers => ['server1', 'server2'],
  }
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • ntp_servers (Optional[Hash]) (defaults to: {})

    NTP servers to use, add config options per server

  • makestep_seconds (Integer) (defaults to: 1)

    Threshold for adjusting system clock.

  • makestep_updates (Integer) (defaults to: 3)

    Limit of clock updates since chronyd start.



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'manifests/rules/chrony.pp', line 33

class cis_security_hardening::rules::chrony (
  Boolean $enforce            = false,
  Optional[Hash] $ntp_servers = {},       #lint:ignore:optional_default
  Integer $makestep_seconds   = 1,
  Integer $makestep_updates   = 3,
) {
  if $enforce {
    if (empty($ntp_servers)) {
      echo { 'no ntp servers warning':
        message  => 'You have not defined any ntp servers, time updating may not work unless provided by your network DHCP',
        loglevel => 'warning',
        withpath => false,
      }
    }

    class { 'chrony':
      servers          => $ntp_servers,
      makestep_seconds => $makestep_seconds,
      makestep_updates => $makestep_updates,
    }

    case $facts['os']['name'].downcase() {
      'ubuntu': {
        ensure_packages(['ntp'], {
            ensure => purged,
        })
      }
      'rocky', 'almalinux','centos','redhat': {
        file { '/etc/sysconfig/chronyd':
          ensure  => file,
          owner   => 'root',
          group   => 'root',
          mode    => '0644',
          content => 'OPTIONS="-u chrony"',
        }
      }
      default: {
        # nothing to do
      }
    }
  }
}