Re-adding the missing NTP default vars

Some of the NTP defaults used to deploy chrony were shared between both the RHEL6 and RHEL7 STIG tasks, however the required defaults for these vars were removed in Iaae52c97a35d82dd807ef78a1a6593ce3aa33540. Since they are still needed by the RHEL7 STIG chrony deployment we will need to add them back. I also removed a reference to "security_disable_ipv6" in the chrony config file which was used to determine if Chrony should bind ::1 for its management socket. Since the "security_disable_ipv6" var no longer exists, we will unconditionally bind the ::1 management address. Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19
2017-09-13 00:30:08 -05:00 · 2017-09-13 00:30:08 -05:00 · 2a4875f2cd
commit 2a4875f2cd
parent 422a865392
2 changed files with 8 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -266,6 +266,14 @@ security_ntp_servers:
  - 1.pool.ntp.org
  - 2.pool.ntp.org
  - 3.pool.ntp.org
+# Chrony limits access to clients that are on certain subnets.  Adjust the
+# following subnets here to limit client access to chrony servers.
+security_allowed_ntp_subnets:
+  - 10/8
+  - 192.168/16
+  - 172.16/12
+# Listen for NTP requests only on local interfaces.
+security_ntp_bind_local_interfaces_only: yes
 # Restrict mail relaying.
 security_rhel7_restrict_mail_relaying: yes                   # V-72297
 # Deploy a login banner.                                     # V-72225 / V-71863
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@ -98,7 +98,5 @@ rtconutc
 # Listen for NTP requests only on local interfaces.
 port 0
 bindcmdaddress 127.0.0.1
-{% if not security_disable_ipv6 | bool %}
 bindcmdaddress ::1
 {% endif %}
-{% endif %}