Puppet Class: cis_security_hardening::rules::systemd_timesyncd
- Defined in:
- manifests/rules/systemd_timesyncd.pp
Summary
Ensure systemd-timesyncd is configured (Not Scored)Overview
systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group “systemd- timesync” needs to be created on installation of systemd.
Note: The systemd-timesyncd service specifically implements only SNTP. This minimalistic service will set the system
clock for large offsets or slowly adjust it for smaller deltas. More complex use cases are not covered by
systemd-timesyncd.
This recommendation only applies if timesyncd is in use on the system.
Rationale: Proper configuration is vital to ensuring time synchronization is working properly.
. Flag if to fix file permissions.
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
# File 'manifests/rules/systemd_timesyncd.pp', line 44
class cis_security_hardening::rules::systemd_timesyncd (
Boolean $enforce = false,
Boolean $fix_file_perms = true,
Array $ntp_servers = [],
Array $ntp_fallback_servers = [],
) {
if $enforce {
if(empty($ntp_servers)) {
fail('no ntp servers specified!')
} else {
$ensure = $facts['os']['family'].downcase() ? {
'suse' => 'absent',
default => 'purged',
}
ensure_packages(['ntp', 'chrony'], {
ensure => $ensure,
})
$servers = join($ntp_servers, ' ')
file_line { 'ntp-timesyncd.conf':
path => '/etc/systemd/timesyncd.conf',
line => "NTP=${servers}",
match => '^NTP=',
append_on_no_match => true,
}
}
if !empty($ntp_fallback_servers) {
$fallback = join($ntp_fallback_servers, ' ')
file_line { 'ntp-fallback-timesyncd.conf':
path => '/etc/systemd/timesyncd.conf',
line => "FallbackNTP=${fallback}",
match => '^FallbackNTP=',
append_on_no_match => true,
}
}
if $facts['os']['family'].downcase() == 'debian' and $fix_file_perms {
ensure_resource('file', '/var/lib/private/systemd/timesync', {
owner => 'root',
group => 'root',
})
ensure_resource('file', '/var/lib/private/systemd/timesync/clock', {
owner => 'root',
group => 'root',
})
}
ensure_resource('service', 'systemd-timesyncd.service', {
ensure => running,
enable => true,
})
if $facts['os']['name'].downcase() == 'sles' {
exec { 'timedatectl':
command => 'timefdatectl set-ntp true',
path => ['/bin', '/usr/bin'],
subscribe => File_line['ntp-timesyncd.conf'],
}
}
}
}
|