Configure Systemd Timesyncd Servers

Documentos > Datadog Security > OOTB Rules > Configure Systemd Timesyncd Servers

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. The systemd-timesyncd daemon implements:

Implements an SNTP client
Runs with minimal privileges
Saves the current clock to disk every time a new NTP sync has been acquired
Is hooked up with networkd to only operate when network connectivity is available Add or edit server or pool lines to /etc/systemd/timesyncd.conf as appropriate:

server <remote-server>

Multiple servers may be configured.

Rationale

Configuring systemd-timesyncd ensures time synchronization is working properly.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'systemd' 2>/dev/null | grep -q '^installed$'; }; then

var_multiple_time_servers='0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,3.ubuntu.pool.ntp.org'

IFS=',' read -r -a time_servers_array <<< "$var_multiple_time_servers"
preferred_ntp_servers_array=("${time_servers_array[@]:0:2}")
preferred_ntp_servers=$( echo "${preferred_ntp_servers_array[@]}"|sed -e 's/\s\+/,/g' )
fallback_ntp_servers_array=("${time_servers_array[@]:2}")
fallback_ntp_servers=$( echo "${fallback_ntp_servers_array[@]}"|sed -e 's/\s\+/,/g' )

IFS=" " mapfile -t current_cfg_arr < <(ls -1 /etc/systemd/timesyncd.d/* /etc/systemd/timesyncd.conf.d/* 2>/dev/null)

config_file="/etc/systemd/timesyncd.conf.d/oscap-remedy.conf"

current_cfg_arr+=( "/etc/systemd/timesyncd.conf" )
# Comment existing NTP FallbackNTP settings
for current_cfg in "${current_cfg_arr[@]}"
do
    sed -i 's/^NTP/#&/g' "$current_cfg"
    sed -i 's/^FallbackNTP/#&/g' "$current_cfg"
done

if [ ! -d "/etc/systemd/timesyncd.conf.d" ]
then 
    mkdir /etc/systemd/timesyncd.conf.d
fi


# Set primary fallback NTP servers in drop-in configuration
echo "NTP=$preferred_ntp_servers" >> "$config_file"
echo "FallbackNTP=$fallback_ntp_servers" >> "$config_file"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured
- name: XCCDF Value var_multiple_time_servers # promote to variable
  set_fact:
    var_multiple_time_servers: !!str 0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,3.ubuntu.pool.ntp.org
  tags:
    - always

- name: Configure Systemd Timesyncd Servers - Set Primary NTP Servers
  ansible.builtin.set_fact:
    preferred_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| first
      | join(",") }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Set Fallback NTP Servers
  ansible.builtin.set_fact:
    fallback_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| list
      | last | join(",") }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Add missing / update wrong records for
    NTP servers
  ansible.builtin.lineinfile:
    path: /etc/systemd/timesyncd.conf.d/oscap-remedy.conf
    regexp: ^\s*NTP\s*=
    state: present
    line: NTP={{ preferred_ntp_servers }}
    create: true
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Add missing / update wrong records for
    fallback servers
  ansible.builtin.lineinfile:
    path: /etc/systemd/timesyncd.conf.d/oscap-remedy.conf
    regexp: ^\s*FallbackNTP\s*=
    state: present
    line: FallbackNTP={{ fallback_ntp_servers }}
    create: true
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured