documentation_complete: true


title: 'Configure Time Service Maxpoll Interval'

description: |-
    The <tt>maxpoll</tt> should be configured to
    {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
    <tt>{{{ chrony_conf_path }}}</tt> (or <tt>{{{ chrony_d_path }}}</tt>) to continuously poll time servers. To configure
    <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>{{{ chrony_conf_path }}}</tt> (or <tt>{{{ chrony_d_path }}}</tt>)
    add the following after each <tt>server</tt>, <tt>pool</tt> or <tt>peer</tt> entry:
    <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
    to <tt>server</tt> directives. If using chrony, any <tt>pool</tt> directives
    should be configured too.

    {{% if product == "rhcos4" %}}
    <p>
    Note that if the remediation shipping with this content is being used, the
    <b>MachineConfig</b> shipped does not include reference NTP servers to point
    to. It is up to the admin to set these which will vary depending on the
    cluster's requirements.
    </p>

    <p>
    The aforementioned remediation does include the directory <tt>/etc/chrony.d</tt>
    which would allow the creation of configuration files to set these servers.
    </p>

    If we'd like to set a configuration like the following:
    <pre>
    pool 2.rhel.pool.ntp.org iburst

    server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
    </pre>

    This could be done with to the following manifest:

    <pre>
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-chrony-servers
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
            mode: 0600
            path: /etc/chrony.d/10-rhel-pool-and-servers.conf
            overwrite: true
    </pre>

    Note that this needs to be done for each <pre>MachineConfigPool</pre>
    {{% endif %}}

rationale: |-
    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
    Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
    Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

severity: medium

platforms:
    - package[ntp] or package[chrony]

identifiers:
    cce@rhcos4: CCE-82684-2
    cce@rhel8: CCE-84059-5
    cce@rhel9: CCE-88648-1
    cce@rhel10: CCE-88549-1
    cce@sle12: CCE-83124-8
    cce@sle15: CCE-83287-3
    cce@slmicro5: CCE-93709-4

references:
    cis-csc: 1,14,15,16,3,5,6
    cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
    isa-62443-2009: 4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
    isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9'
    iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
    nist: CM-6(a),AU-8(1)(b),AU-12(1)
    nist-csf: PR.PT-1
    nist@sle12: AU-8(1)(a),AU-8(1)(b)
    srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
    stigid@ol7: OL07-00-040500
    stigid@ol8: OL08-00-030740
    stigid@sle12: SLES-12-030300
    stigid@sle15: SLES-15-010400

ocil_clause: '"maxpoll" has not been set to the value of "{{{ xccdf_value("var_time_service_set_maxpoll") }}}", is commented out, or is missing'

ocil: |-
    Verify {{{ full_name }}} is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
    <pre>$ sudo grep maxpoll /etc/ntp.conf {{{ chrony_conf_path }}} {{{ chrony_d_path }}}</pre>
    <pre>server [ntp.server.name] iburst maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>.

fixtext: |-
    Configure {{{ full_name }}} to securely compare internal information system clocks at a regular interval with an NTP server by adding/modifying the following line in the {{{ chrony_conf_path }}} file.

    server [ntp.server.name] iburst maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}

srg_requirement: |-
    {{{ full_name }}} must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).