Specify a Remote NTP Server

Docs > Datadog Security > OOTB Rules > Specify a Remote NTP Server

Classification:

compliance

Framework:

Control:

Description

To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:

server *ntpserver*

This instructs the NTP software to contact that remote server to obtain time data.

Rationale

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then

var\_multiple\_time\_servers='0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org'


config\_file="/etc/ntp.conf"

if ! grep -q '^[\s]\*(?:server|pool)[\s]+[\w]+' "$config\_file" ; then
 if ! grep -q '#[[:space:]]\*server' "$config\_file" ; then
 for server in $(echo "$var\_multiple\_time\_servers" | tr ',' '\n') ; do
 printf '\nserver %s' "$server" >> "$config\_file"
 done
 else
 sed -i 's/#[ \t]\*server/server/g' "$config\_file"
 fi
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - CCE-83436-6
 - NIST-800-53-AU-8(1)(a)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.4.1
 - PCI-DSS-Req-10.4.3
 - PCI-DSSv4-10.6.1
 - PCI-DSSv4-10.6.2
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - ntpd\_specify\_remote\_server
- name: XCCDF Value var\_multiple\_time\_servers # promote to variable
 set\_fact:
 var\_multiple\_time\_servers: !!str 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
 tags:
 - always

- name: Detect if ntp is already configured with pools or servers
 find:
 path: /etc
 patterns: ntp.conf
 contains: ^[\s]\*(?:server|pool)[\s]+[\w]+
 register: ntp\_servers
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"ntp" in ansible\_facts.packages'
 tags:
 - CCE-83436-6
 - NIST-800-53-AU-8(1)(a)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.4.1
 - PCI-DSS-Req-10.4.3
 - PCI-DSSv4-10.6.1
 - PCI-DSSv4-10.6.2
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - ntpd\_specify\_remote\_server

- name: Configure remote time servers
 lineinfile:
 path: /etc/ntp.conf
 line: server {{ item }}
 state: present
 create: true
 loop: '{{ var\_multiple\_time\_servers.split(",") }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"ntp" in ansible\_facts.packages'
 - ntp\_servers.matched == 0
 tags:
 - CCE-83436-6
 - NIST-800-53-AU-8(1)(a)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.4.1
 - PCI-DSS-Req-10.4.3
 - PCI-DSSv4-10.6.1
 - PCI-DSSv4-10.6.2
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - ntpd\_specify\_remote\_server