openstack/ansible-hardening
Code Issues Proposed changes
2d4afc35d2
ansible-hardening/templates/chrony.conf.j2
Logan V 2a4875f2cd Re-adding the missing NTP default vars 
Some of the NTP defaults used to deploy chrony were shared between
both the RHEL6 and RHEL7 STIG tasks, however the required defaults
for these vars were removed in
Iaae52c97a35d82dd807ef78a1a6593ce3aa33540.

Since they are still needed by the RHEL7 STIG chrony deployment
we will need to add them back.

I also removed a reference to "security_disable_ipv6" in the chrony
config file which was used to determine if Chrony should bind ::1 for
its management socket. Since the "security_disable_ipv6" var no longer
exists, we will unconditionally bind the ::1 management address.

Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19
2017-09-13 16:10:01 +00:00

103 lines
3.6 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
#
# This the default chrony.conf file for the Debian chrony package. After
# editing this file use the command 'invoke-rc.d chrony restart' to make
# your changes take effect. John Hasler <jhasler@debian.org> 1998-2008
# See www.pool.ntp.org for an explanation of these servers. Please
# consider joining the project if possible. If you can't or don't want to
# use these servers I suggest that you try your ISP's nameservers. We mark
# the servers 'offline' so that chronyd won't try to connect when the link
# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
# commands to switch it on when a dialup link comes up and off when it goes
# down. Code in /etc/init.d/chrony attempts to determine whether or not
# the link is up at boot time and set the online status accordingly. If
# you have an always-on connection such as cable omit the 'offline'
# directive and chronyd will default to online.
#
# Note that if Chrony tries to go "online" and dns lookup of the servers
# fails they will be discarded. Thus under some circumstances it is
# better to use IP numbers than host names.
{% for ntp_server in security_ntp_servers %}
server {{ ntp_server }} offline maxpoll 10 minpoll 8
{% endfor %}
# Look here for the admin password needed for chronyc. The initial
# password is generated by a random process at install time. You may
# change it if you wish.
keyfile /etc/chrony/chrony.keys
# Set runtime command key. Note that if you change the key (not the
# password) to anything other than 1 you will need to edit
# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
# and /etc/cron.weekly/chrony as these scripts use it to get the password.
commandkey 1
# I moved the driftfile to /var/lib/chrony to comply with the Debian
# filesystem standard.
driftfile /var/lib/chrony/chrony.drift
# Comment this line out to turn off logging.
log tracking measurements statistics
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Dump measurements when daemon exits.
dumponexit
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# Let computer be a server when it is unsynchronised.
local stratum 10
# Allow computers on the unrouted nets to use the server.
{% for subnet in security_allowed_ntp_subnets %}
allow {{ subnet }}
{% endfor %}
# This directive forces `chronyd' to send a message to syslog if it
# makes a system clock adjustment larger than a threshold value in seconds.
logchange 0.5
# This directive defines an email address to which mail should be sent
# if chronyd applies a correction exceeding a particular threshold to the
# system clock.
# mailonchange root@localhost 0.5
# This directive tells chrony to regulate the real-time clock and tells it
# Where to store related data. It may not work on some newer motherboards
# that use the HPET real-time clock. It requires enhanced real-time
# support in the kernel. I've commented it out because with certain
# combinations of motherboard and kernel it is reported to cause lockups.
# rtcfile /var/lib/chrony/chrony.rtc
# If the last line of this file reads 'rtconutc' chrony will assume that
# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent
# chrony will assume local time. The line (if any) was written by the
# chrony postinst based on what it found in /etc/default/rcS. You may
# change it if necessary.
rtconutc
{% if security_ntp_bind_local_interfaces_only | bool %}
# Listen for NTP requests only on local interfaces.
port 0
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
{% endif %}
View Git Blame Copy Permalink