---
title: Configure Systemd Timesyncd Servers
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Configure Systemd Timesyncd Servers
---

# Configure Systemd Timesyncd Servers
 
## Description{% #description %}

`systemd-timesyncd` is a daemon that has been added for synchronizing the system clock across the network. The `systemd-timesyncd` daemon implements:

- Implements an SNTP client
- Runs with minimal privileges
- Saves the current clock to disk every time a new NTP sync has been acquired
- Is hooked up with networkd to only operate when network connectivity is available Add or edit server or pool lines to `/etc/systemd/timesyncd.conf` as appropriate:

```
server <remote-server>
```

Multiple servers may be configured.

## Rationale{% #rationale %}

Configuring `systemd-timesyncd` ensures time synchronization is working properly.

## Remediation{% #remediation %}

### Shell script{% #shell-script %}

The following script can be run on the host to remediate the issue.

```bash
#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'systemd' 2>/dev/null | grep -q '^installed$'; }; then

var_multiple_time_servers='time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov'

IFS=',' read -r -a time_servers_array <<< "$var_multiple_time_servers"
preferred_ntp_servers_array=("${time_servers_array[@]:0:2}")
preferred_ntp_servers=$( echo "${preferred_ntp_servers_array[@]}" )
fallback_ntp_servers_array=("${time_servers_array[@]:2}")
fallback_ntp_servers=$( echo "${fallback_ntp_servers_array[@]}" )

IFS=" " mapfile -t current_cfg_arr < <(ls -1 /etc/systemd/timesyncd.conf.d/* 2>/dev/null)

current_cfg_arr+=( "/etc/systemd/timesyncd.conf" )
# Comment existing NTP FallbackNTP settings
for current_cfg in "${current_cfg_arr[@]}"
do
    sed -i 's/^NTP/#&/g' "$current_cfg"
    sed -i 's/^FallbackNTP/#&/g' "$current_cfg"
done

# Set primary fallback NTP servers in drop-in configuration
# Create /etc/systemd/timesyncd.conf.d if it doesn't exist
if [ ! -d "/etc/systemd/timesyncd.conf.d" ]
then 
    mkdir /etc/systemd/timesyncd.conf.d
fi


# Try find '[Time]' and 'NTP' in '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf', if it exists, set
# to '$preferred_ntp_servers', if it isn't here, add it, if '[Time]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[Time]([^\n\[]*\n+)+?[[:space:]]*NTP' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    
    sed -i "s/NTP[^(\n)]*/NTP=$preferred_ntp_servers/" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
elif grep -qs '[[:space:]]*\[Time]' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    sed -i "/[[:space:]]*\[Time]/a NTP=$preferred_ntp_servers" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
else
    if test -d "/etc/systemd/timesyncd.conf.d"; then
        printf '%s\n' '[Time]' "NTP=$preferred_ntp_servers" >> '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
    else
        echo "Config file directory '/etc/systemd/timesyncd.conf.d' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

# Try find '[Time]' and 'FallbackNTP' in '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf', if it exists, set
# to '$fallback_ntp_servers', if it isn't here, add it, if '[Time]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[Time]([^\n\[]*\n+)+?[[:space:]]*FallbackNTP' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    
    sed -i "s/FallbackNTP[^(\n)]*/FallbackNTP=$fallback_ntp_servers/" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
elif grep -qs '[[:space:]]*\[Time]' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    sed -i "/[[:space:]]*\[Time]/a FallbackNTP=$fallback_ntp_servers" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
else
    if test -d "/etc/systemd/timesyncd.conf.d"; then
        printf '%s\n' '[Time]' "FallbackNTP=$fallback_ntp_servers" >> '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
    else
        echo "Config file directory '/etc/systemd/timesyncd.conf.d' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
```

### Ansible playbook{% #ansible-playbook %}

The following playbook can be run with Ansible to remediate the issue.

```gdscript3
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured
- name: XCCDF Value var_multiple_time_servers # promote to variable
  set_fact:
    var_multiple_time_servers: !!str time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov
  tags:
    - always

- name: Configure Systemd Timesyncd Servers - Set Primary NTP Servers
  ansible.builtin.set_fact:
    preferred_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| first
      | join(" ") }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Set Fallback NTP Servers
  ansible.builtin.set_fact:
    fallback_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| list
      | last | join(" ") }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Set 'NTP' to '{{ preferred_ntp_servers }}' in the [Time] section of '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
  community.general.ini_file:
    path: /etc/systemd/timesyncd.conf.d/oscap-remedy.conf
    section: Time
    option: NTP
    value: '{{ preferred_ntp_servers }}'
    create: true
    mode: 420
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Set 'FallbackNTP' to '{{ fallback_ntp_servers }}' in the [Time] section of
    '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
  community.general.ini_file:
    path: /etc/systemd/timesyncd.conf.d/oscap-remedy.conf
    section: Time
    option: FallbackNTP
    value: '{{ fallback_ntp_servers }}'
    create: true
    mode: 420
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured
```