{"description": "The <tt>cmdport</tt> option in <tt>/etc/chrony/chrony.conf</tt> can be set to\n<tt>0</tt> to stop chrony daemon from listening on the UDP port 323\nfor management connections made by chronyc.", "rationale": "Minimizing the exposure of the server functionality of the chrony\ndaemon diminishes the attack surface.", "severity": "low", "references": {"nist": ["CM-7(1)"], "srg": ["SRG-OS-000096-GPOS-00050", "SRG-OS-000095-GPOS-00049"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"cmdport\" option is not set to \"0\", is commented out, or is missing", "ocil": "Verify Ubuntu 22.04 disables network management of the chrony daemon with the following command:\n<pre>$ grep -w cmdport /etc/chrony/chrony.conf</pre>\n<pre>cmdport 0</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable network management of the chrony daemon by adding/modifying the following line in the /etc/chrony/chrony.conf file:\n\ncmdport 0", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must disable network management of the chrony daemon.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable network management of the chrony daemon.", "vuldiscussion": "Not exposing the management interface of the chrony daemon on the network diminishes the attack space.", "checktext": "Verify Ubuntu 22.04 disables network management of the chrony daemon with the following command:\n\n$ grep -w cmdport /etc/chrony.conf\n\ncmdport 0\n\nIf the \"cmdport\" option is not set to \"0\", is commented out, or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to disable network management of the chrony daemon by adding/modifying the following line in the /etc/chrony.conf file:\n\ncmdport 0"}}, "platform": "package[chrony]", "platforms": ["package[chrony]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_chrony"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable network management of chrony daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml", "template": null}