From 2a4875f2cd556588db8cdb337355a27ad40029d1 Mon Sep 17 00:00:00 2001 From: Logan V Date: Wed, 13 Sep 2017 00:30:08 -0500 Subject: [PATCH] Re-adding the missing NTP default vars Some of the NTP defaults used to deploy chrony were shared between both the RHEL6 and RHEL7 STIG tasks, however the required defaults for these vars were removed in Iaae52c97a35d82dd807ef78a1a6593ce3aa33540. Since they are still needed by the RHEL7 STIG chrony deployment we will need to add them back. I also removed a reference to "security_disable_ipv6" in the chrony config file which was used to determine if Chrony should bind ::1 for its management socket. Since the "security_disable_ipv6" var no longer exists, we will unconditionally bind the ::1 management address. Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19 --- defaults/main.yml | 8 ++++++++ templates/chrony.conf.j2 | 2 -- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 570b1890..dbb947d0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -266,6 +266,14 @@ security_ntp_servers: - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org +# Chrony limits access to clients that are on certain subnets. Adjust the +# following subnets here to limit client access to chrony servers. +security_allowed_ntp_subnets: + - 10/8 + - 192.168/16 + - 172.16/12 +# Listen for NTP requests only on local interfaces. +security_ntp_bind_local_interfaces_only: yes # Restrict mail relaying. security_rhel7_restrict_mail_relaying: yes # V-72297 # Deploy a login banner. # V-72225 / V-71863 diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 index 1870f6ab..968abfb2 100644 --- a/templates/chrony.conf.j2 +++ b/templates/chrony.conf.j2 @@ -98,7 +98,5 @@ rtconutc # Listen for NTP requests only on local interfaces. port 0 bindcmdaddress 127.0.0.1 -{% if not security_disable_ipv6 | bool %} bindcmdaddress ::1 {% endif %} -{% endif %}