{"description": "The <tt>ntpdate</tt> service sets the local hardware clock by polling NTP servers\nwhen the system boots. It synchronizes to the NTP servers listed in\n<tt>/etc/ntp/step-tickers</tt> or <tt>/etc/ntp.conf</tt>\nand then sets the local hardware clock to the newly synchronized\nsystem time.\n\nThe <code>ntpdate</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now ntpdate.service</pre>", "rationale": "The <tt>ntpdate</tt> service may only be suitable for systems which\nare rebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated.", "severity": "low", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"ntpdate\" is loaded and not masked", "ocil": "To check that the <code>ntpdate</code> service is disabled in system boot configuration,\nrun the following command:\n<pre>$ sudo systemctl is-enabled <code>ntpdate</code></pre>\nOutput should indicate the <code>ntpdate</code> service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>ntpdate</code><br/> disabled</pre>\n\nRun the following command to verify <code>ntpdate</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active ntpdate</pre>\n\nIf the service is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe service will also be masked, to check that the <code>ntpdate</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>ntpdate</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the service is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_ntpdate_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_ntpdate_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable ntpdate Service (ntpdate)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "ntpdate"}, "backends": {}}}