--- title: The Chronyd service is disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > The Chronyd service is disabled --- # The Chronyd service is disabled ## Description{% #description %} The `chrony` service can be disabled with the following command: ``` $ sudo systemctl mask --now chrony.service ``` ## Rationale{% #rationale %} Disabling the `chrony` service ensures that there is only single one time service running. ## Remediation{% #remediation %} ### Shell script{% #shell-script %} The following script can be run on the host to remediate the issue. ```bash #!/bin/bash # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$'; }; then var_timesync_service='systemd-timesyncd' if [ $var_timesync_service != chronyd ]; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'chrony.service' "$SYSTEMCTL_EXEC" disable 'chrony.service' "$SYSTEMCTL_EXEC" mask 'chrony.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files chrony.socket; then "$SYSTEMCTL_EXEC" stop 'chrony.socket' "$SYSTEMCTL_EXEC" mask 'chrony.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'chrony.service' || true fi else >&2 echo 'Remediation is not applicable, nothing was done' fi ``` ### Ansible playbook{% #ansible-playbook %} The following playbook can be run with Ansible to remediate the issue. ```gdscript3 - name: Gather the package facts package_facts: manager: auto tags: - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_chronyd_disabled - name: XCCDF Value var_timesync_service # promote to variable set_fact: var_timesync_service: !!str systemd-timesyncd tags: - always - name: The Chronyd service is disabled - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false when: - '"linux-base" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' tags: - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_chronyd_disabled - name: The Chronyd service is disabled - Ensure "chrony.service" is Masked ansible.builtin.systemd: name: chrony.service state: stopped enabled: false masked: true when: - '"linux-base" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' - service_exists.stdout_lines is search("chrony.service",multiline=True) - var_timesync_service != "chronyd" tags: - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_chronyd_disabled - name: Unit Socket Exists - chrony.socket ansible.builtin.command: systemctl -q list-unit-files chrony.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false when: - '"linux-base" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' tags: - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_chronyd_disabled - name: Disable socket chrony ansible.builtin.systemd: name: chrony.socket enabled: 'no' state: stopped masked: 'yes' when: - '"linux-base" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' - socket_file_exists.stdout_lines is search("chrony.socket",multiline=True) - var_timesync_service != "chronyd" tags: - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_chronyd_disabled ```