{"description": "\n\n\nRun the following command to determine the current status of the\n<code>chronyd</code> service:\n<pre>$ sudo systemctl is-active chronyd</pre>\nIf the service is running, it should return the following: <pre>active</pre>\n\nNote: The <tt>chronyd</tt> daemon is enabled by default.\n<br /><br />\n\n\nRun the following command to determine the current status of the\n<code>ntpd</code> service:\n<pre>$ sudo systemctl is-active ntpd</pre>\nIf the service is running, it should return the following: <pre>active</pre>\nNote: The <tt>ntpd</tt> daemon is not enabled by default. Though as mentioned\nin the previous sections in certain environments the <tt>ntpd</tt> daemon might\nbe preferred to be used rather than the <tt>chronyd</tt> one. Refer to:\n\nfor guidance which NTP daemon to choose depending on the environment used.", "rationale": "Enabling some of <tt>chronyd</tt> or <tt>ntpd</tt> services ensures\nthat the NTP daemon will be running and that the system will synchronize its\ntime to any servers specified. This is important whether the system is\nconfigured to be a client (and synchronize only its own clock) or it is also\nacting as an NTP server to other systems.  Synchronizing time is essential for\nauthentication services such as Kerberos, but it is also important for\nmaintaining accurate logs and auditing possible security breaches.\n<br /><br />\nThe <tt>chronyd</tt> and <tt>ntpd</tt> NTP daemons offer all of the\nfunctionality of <tt>ntpdate</tt>, which is now deprecated.", "severity": "medium", "references": {"cis-csc": ["1", "14", "15", "16", "3", "5", "6"], "cobit5": ["APO11.04", "BAI03.05", "DSS05.04", "DSS05.07", "MEA02.01"], "cui": ["3.3.7"], "isa-62443-2009": ["4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9"], "iso27001-2013": ["A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1"], "nist": ["CM-6(a)", "AU-8(1)(a)", "AU-12(1)"], "nist-csf": ["PR.PT-1"], "pcidss": ["Req-10.4.1"], "srg": ["SRG-APP-000116-CTR-000235"], "anssi": ["R71"], "ism": ["0988", "1405"], "pcidss4": ["10.6.1", "10.6"]}, "control_references": {"anssi": ["R71"], "ism": ["0988", "1405"], "pcidss4": ["10.6.1", "10.6"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "\n\n\nRun the following command to determine the current status of the\n<code>chronyd</code> service:\n<pre>$ sudo systemctl is-active chronyd</pre>\nIf the service is running, it should return the following: <pre>active</pre>\n\n\n\nRun the following command to determine the current status of the\n<code>ntpd</code> service:\n<pre>$ sudo systemctl is-active ntpd</pre>\nIf the service is running, it should return the following: <pre>active</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable the NTP Daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml", "template": null}