Puppet Class: cis_security_hardening::rules::ntpd

Defined in:
manifests/rules/ntpd.pp

Summary

Ensure ntp is configured

Overview

ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system.

Rationale: If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Examples:

class { 'cis_security_hardening::rules::ntpd':
    enforce => true,
    ntp_daemon => 'ntp',
    ntp_servers => ['server1', 'server2'],
    }
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • ntp_servers (Optional[Array[Stdlib::Host]])

    NTP servers to use, depends on the daemon used

  • ntp_restrict (Array) (defaults to: [])

    NTP daemon restrictions depending on the daemon used

  • ntp_driftfile (Stdlib::Absolutepath) (defaults to: '/var/lib/ntp/drift')

    Drift file for ntp daemon

  • ntp_statsdir (Optional[Stdlib::Absolutepath])

    NTP stats dir

  • ntp_disable_monitor (Boolean) (defaults to: true)

    Disables the monitoring facility in NTP

  • ntp_burst (Boolean) (defaults to: false)

    Specifies whether to enable the iburst option for every NTP peer.

  • ntp_service_manage (Boolean) (defaults to: true)

    Manage ntp service



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'manifests/rules/ntpd.pp', line 46

class cis_security_hardening::rules::ntpd (
  Optional[Stdlib::Absolutepath] $ntp_statsdir,
  Optional[Array[Stdlib::Host]]  $ntp_servers,
  Boolean                        $enforce             = false,
  Array                          $ntp_restrict        = [],
  Stdlib::Absolutepath           $ntp_driftfile       = '/var/lib/ntp/drift',
  Boolean                        $ntp_disable_monitor = true,
  Boolean                        $ntp_burst           = false,
  Boolean                        $ntp_service_manage  = true,
) {
  if $enforce and $facts['os']['name'].downcase() != 'sles' {
    $ntp_default = {
      servers         => $ntp_servers,
      restrict        => $ntp_restrict,
      disable_monitor => $ntp_disable_monitor,
      iburst_enable   => $ntp_burst,
      service_manage  => $ntp_service_manage,
    }

    if empty($ntp_driftfile) {
      $ntp_drift = {}
    } else {
      $ntp_drift = {
        driftfile       => $ntp_driftfile,
      }
    }

    if $ntp_statsdir == undef {
      $statsdir = {}
    } else {
      $statsdir = {
        statsdir => $ntp_statsdir,
      }
    }

    $ntp_data = $ntp_default + $ntp_drift + $statsdir

    class { 'ntp':
      * => $ntp_data,
    }

    if $facts['os']['family'].downcase() == 'debian' {
      ensure_packages(['chrony'], {
          ensure => purged,
      })
      ensure_resource('service', 'systemd-timesyncd', {
          ensure => stopped,
          enable => false,
      })
      $ntp_file = if $facts['os']['name'].downcase() == 'debian' and $facts['os']['release']['major'] >= '12' {
        '/etc/init.d/ntpsec'
      } else {
        '/etc/init.d/ntp'
      }
      file_line { 'ntp runas':
        ensure => present,
        path   => $ntp_file,
        match  => '^RUNASUSER=',
        line   => 'RUNASUSER=ntp',
      }
    } elsif $facts['os']['family'].downcase() == 'redhat' {
      file { '/etc/sysconfig/ntpd':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        content => 'OPTIONS="-u ntp:ntp"',
      }
    }
  }
}