Configure Systemd Timesyncd Servers

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. The systemd-timesyncd daemon implements:

  • Implements an SNTP client
  • Runs with minimal privileges
  • Saves the current clock to disk every time a new NTP sync has been acquired
  • Is hooked up with networkd to only operate when network connectivity is available Add or edit server or pool lines to /etc/systemd/timesyncd.conf as appropriate:
server <remote-server>

Multiple servers may be configured.

Rationale

Configuring systemd-timesyncd ensures time synchronization is working properly.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'systemd' 2>/dev/null | grep -q '^installed$'; }; then

var_multiple_time_servers='time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov'

IFS=',' read -r -a time_servers_array <<< "$var_multiple_time_servers"
preferred_ntp_servers_array=("${time_servers_array[@]:0:2}")
preferred_ntp_servers=$( echo "${preferred_ntp_servers_array[@]}" )
fallback_ntp_servers_array=("${time_servers_array[@]:2}")
fallback_ntp_servers=$( echo "${fallback_ntp_servers_array[@]}" )

IFS=" " mapfile -t current_cfg_arr < <(ls -1 /etc/systemd/timesyncd.conf.d/* 2>/dev/null)

current_cfg_arr+=( "/etc/systemd/timesyncd.conf" )
# Comment existing NTP FallbackNTP settings
for current_cfg in "${current_cfg_arr[@]}"
do
    sed -i 's/^NTP/#&/g' "$current_cfg"
    sed -i 's/^FallbackNTP/#&/g' "$current_cfg"
done

# Set primary fallback NTP servers in drop-in configuration
# Create /etc/systemd/timesyncd.conf.d if it doesn't exist
if [ ! -d "/etc/systemd/timesyncd.conf.d" ]
then 
    mkdir /etc/systemd/timesyncd.conf.d
fi


# Try find '[Time]' and 'NTP' in '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf', if it exists, set
# to '$preferred_ntp_servers', if it isn't here, add it, if '[Time]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[Time]([^\n\[]*\n+)+?[[:space:]]*NTP' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    
    sed -i "s/NTP[^(\n)]*/NTP=$preferred_ntp_servers/" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
elif grep -qs '[[:space:]]*\[Time]' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    sed -i "/[[:space:]]*\[Time]/a NTP=$preferred_ntp_servers" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
else
    if test -d "/etc/systemd/timesyncd.conf.d"; then
        printf '%s\n' '[Time]' "NTP=$preferred_ntp_servers" >> '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
    else
        echo "Config file directory '/etc/systemd/timesyncd.conf.d' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

# Try find '[Time]' and 'FallbackNTP' in '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf', if it exists, set
# to '$fallback_ntp_servers', if it isn't here, add it, if '[Time]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[Time]([^\n\[]*\n+)+?[[:space:]]*FallbackNTP' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    
    sed -i "s/FallbackNTP[^(\n)]*/FallbackNTP=$fallback_ntp_servers/" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
elif grep -qs '[[:space:]]*\[Time]' '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'; then
    sed -i "/[[:space:]]*\[Time]/a FallbackNTP=$fallback_ntp_servers" '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
else
    if test -d "/etc/systemd/timesyncd.conf.d"; then
        printf '%s\n' '[Time]' "FallbackNTP=$fallback_ntp_servers" >> '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
    else
        echo "Config file directory '/etc/systemd/timesyncd.conf.d' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured
- name: XCCDF Value var_multiple_time_servers # promote to variable
  set_fact:
    var_multiple_time_servers: !!str time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov
  tags:
    - always

- name: Configure Systemd Timesyncd Servers - Set Primary NTP Servers
  ansible.builtin.set_fact:
    preferred_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| first
      | join(" ") }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Configure Systemd Timesyncd Servers - Set Fallback NTP Servers
  ansible.builtin.set_fact:
    fallback_ntp_servers: '{{ var_multiple_time_servers.split(",") | slice(2)| list
      | last | join(" ") }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Set 'NTP' to '{{ preferred_ntp_servers }}' in the [Time] section of '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
  community.general.ini_file:
    path: /etc/systemd/timesyncd.conf.d/oscap-remedy.conf
    section: Time
    option: NTP
    value: '{{ preferred_ntp_servers }}'
    create: true
    mode: 420
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured

- name: Set 'FallbackNTP' to '{{ fallback_ntp_servers }}' in the [Time] section of
    '/etc/systemd/timesyncd.conf.d/oscap-remedy.conf'
  community.general.ini_file:
    path: /etc/systemd/timesyncd.conf.d/oscap-remedy.conf
    section: Time
    option: FallbackNTP
    value: '{{ fallback_ntp_servers }}'
    create: true
    mode: 420
  when:
  - '"linux-base" in ansible_facts.packages'
  - '"systemd" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-10.4.3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_timesyncd_configured