documentation_complete: true


title: 'Enable the NTP Daemon'

description: |-
    {{% if "debian" in product %}}
    {{{ ocil_service_enabled(service="chrony") }}}
    {{% else %}}
    {{{ ocil_service_enabled(service="chronyd") }}}
    {{% endif %}}
    Note: The <tt>chronyd</tt> daemon is enabled by default.
    <br /><br />
    {{{ ocil_service_enabled(service="ntpd") }}}
    Note: The <tt>ntpd</tt> daemon is not enabled by default. Though as mentioned
    in the previous sections in certain environments the <tt>ntpd</tt> daemon might
    be preferred to be used rather than the <tt>chronyd</tt> one. Refer to:
    {{% if product == "ol7" %}}
        {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/network/ol7-nettime.html") }}}
    {{% elif product == "ol8" %}}
        {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/network-ConfiguringNetworkTime.html#ol-nettime") }}}
    {{% elif product in ["sle12", "sle15"] %}}
        {{{ weblink(link="https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-ntp.html") }}}
    {{% elif "rhel" in product %}}
        {{{ weblink(link="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/index#proc_migrating-to-chrony_configuring-time-synchronization") }}}
    {{% endif %}}
    for guidance which NTP daemon to choose depending on the environment used.

rationale: |-
    Enabling some of {{% if "debian" in product %}}<tt>chrony</tt>{{% else %}}<tt>chronyd</tt>{{% endif %}} or <tt>ntpd</tt> services ensures
    that the NTP daemon will be running and that the system will synchronize its
    time to any servers specified. This is important whether the system is
    configured to be a client (and synchronize only its own clock) or it is also
    acting as an NTP server to other systems.  Synchronizing time is essential for
    authentication services such as Kerberos, but it is also important for
    maintaining accurate logs and auditing possible security breaches.
    <br /><br />
    The <tt>chronyd</tt> and <tt>ntpd</tt> NTP daemons offer all of the
    functionality of <tt>ntpdate</tt>, which is now deprecated.

severity: medium


identifiers:
    cce@rhcos4: CCE-82682-6
    cce@rhel8: CCE-80874-1
    cce@rhel10: CCE-89185-3
    cce@sle12: CCE-91629-6
    cce@sle15: CCE-85835-7

references:
    cis-csc: 1,14,15,16,3,5,6
    cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
    cui: 3.3.7
    isa-62443-2009: 4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
    isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9'
    iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
    nist: CM-6(a),AU-8(1)(a),AU-12(1)
    nist-csf: PR.PT-1
    pcidss: Req-10.4.1
    srg: SRG-APP-000116-CTR-000235

ocil: |-
    {{% if "debian" in product %}}
    {{{ ocil_service_enabled(service="chrony") }}}
    {{% else %}}
    {{{ ocil_service_enabled(service="chronyd") }}}
    {{% endif %}}
    {{{ ocil_service_enabled(service="ntpd") }}}