<div dir="ltr">On Fri, Jul 19, 2013 at 2:37 PM, Miloslav Trmač <span dir="ltr"><<a href="mailto:mitr@volny.cz" target="_blank">mitr@volny.cz</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">On Wed, Jul 17, 2013 at 12:43 PM, Jaroslav Reznik <<a href="mailto:jreznik@redhat.com">jreznik@redhat.com</a>> wrote:<br>
> = Proposed Self Contained Change: Remove deprecated calls of using ntpdate in<br>
> favor of ntpd =<br>
> <a href="https://fedoraproject.org/wiki/Changes/ntpdate" target="_blank">https://fedoraproject.org/wiki/Changes/ntpdate</a><br>
<br>
</div>Given what has been discussed/learned in this thread, it seems that<br>
the change proposal needs some changes (and perhaps another round of<br>
discussion?).<br></blockquote><div><br></div><div>Probably. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Looking at the rationale, I wonder how the things that have been<br>
discussed so far (replacement of ntpd with chrony, and ntpdate with<br>
sntp) make a difference with respect to the hardening recommendations<br>
- perhaps such changes would help avoid the letter of the<br>
recommendations, but what about the substance? For example in<br>
<a href="http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf" target="_blank">http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf</a>, I<br>
really doubt the intent was to exclude specifically a daemon named<br>
ntpd - rather the intent was most likely to avoid running a daemon at<br>
all[1], so just using chrony instead of ntpd wouldn't make a<br>
substantial difference.<br>
Mirek<br></blockquote><div><br></div><div>On the other hand the DISA STIG (<a href="http://iase.disa.mil/stigs/scap/">http://iase.disa.mil/stigs/scap/</a>) content for RHEL 5 and 6 says it must be enabled, or </div><div>
<br></div><div>RHEL 5:</div><div><div>SV-37402r1_rule The system clock must be synchronized to an authoritative DoD time source.</div></div><div>it then goes on to talk about how to make sure ntpd/xntpd is running, or failing that that ntpdate is run from a cronjob.</div>
<div><br></div><div>RHEL 6:</div><div>SV-50421r1_rule<span style="white-space:pre"> </span>The system clock must be synchronized continuously, or at least daily.<br></div><div> </div><div>I also checked the AIX/other UNIX stigs, they all basically say "The system clock must be synchronized continuously, or at least daily." with a preference given to ntpd/etc., also</div>
<div><br></div><div>"NOTE: While it is possible to run ntpdate from a cron script, it is important to mention that ntpdate with contrived cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use."</div>
<div><br></div><div>So I would say DISA STIG REQUIREMENTS (e.g. to CERTIFY a system) outweigh NSA "Hardening Tips" which AFAIK carry no official weight.</div><div><br></div><div>Also every other sane security standard/audit list/etc I'm aware of calls out NTP as being required, e.g. from the CSA CAIQ "Clock Synchronization<span style="white-space:pre"> </span>SA-12<span style="white-space:pre"> </span>SA-12.1<span style="white-space:pre"> </span>Do you utilize a synchronized time-service protocol (ex. NTP) to ensure all systems have a common time reference?"</div>
<div><br></div><div>So on the one hand we have official DISA STIG REQUIREMENTS, and virtually every security standard I'm aware of saying you must synchronize using NTP, or failing that use ntpdate as a fallback, vs. a "Hardening Tips" document that carries no official weight. </div>
<div><br></div><div>So it looks like the best course of actions would be to enable some sort of clock synchronization daemon by default with an install option (through GUI and kickstart) to turn it off and a post install option to turn it off (e.g. normal systemd tools). All of which conveniently exist already =).</div>
<div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
[1] Leaving aside whether such a recommendation is well justified.<br>
<div class=""><div class="h5">--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Kurt Seifried<br>
<a href="mailto:kurt@seifried.org" target="_blank">kurt@seifried.org</a>
</div></div>