F20 Self Contained Change: Remove deprecated calls of using ntpdate in favor of ntpd

Kurt Seifried kurt at seifried.org
Sat Jul 20 02:49:22 UTC 2013 

On Fri, Jul 19, 2013 at 2:37 PM, Miloslav Trmač <mitr at volny.cz> wrote:

> On Wed, Jul 17, 2013 at 12:43 PM, Jaroslav Reznik <jreznik at redhat.com>
> wrote:
> > = Proposed Self Contained Change: Remove deprecated calls of using
> ntpdate in
> > favor of ntpd =
> > https://fedoraproject.org/wiki/Changes/ntpdate
>
> Given what has been discussed/learned in this thread, it seems that
> the change proposal needs some changes (and perhaps another round of
> discussion?).
>

Probably.

Looking at the rationale, I wonder how the things that have been
> discussed so far (replacement of ntpd with chrony, and ntpdate with
> sntp) make a difference with respect to the hardening recommendations
> - perhaps such changes would help avoid the letter of the
> recommendations, but what about the substance?  For example in
> http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf, I
> really doubt the intent was to exclude specifically a daemon named
> ntpd - rather the intent was most likely to avoid running a daemon at
> all[1], so just using chrony instead of ntpd wouldn't make a
> substantial difference.
>     Mirek
>

On the other hand the DISA STIG (http://iase.disa.mil/stigs/scap/) content
for RHEL 5 and 6 says it must be enabled, or

RHEL 5:
SV-37402r1_rule The system clock must be synchronized to an authoritative
DoD time source.
it then goes on to talk about how to make sure ntpd/xntpd is running, or
failing that that ntpdate is run from a cronjob.

RHEL 6:
SV-50421r1_rule The system clock must be synchronized continuously, or at
least daily.

I also checked the AIX/other UNIX stigs, they all basically say "The system
clock must be synchronized continuously, or at least daily." with a
preference given to ntpd/etc., also

"NOTE: While it is possible to run ntpdate from a cron script, it is
important to mention that ntpdate with contrived cron scripts is no
substitute for the NTP daemon, which uses sophisticated algorithms to
maximize accuracy and reliability while minimizing resource use."

So I would say DISA STIG REQUIREMENTS (e.g. to CERTIFY a system) outweigh
NSA "Hardening Tips" which AFAIK carry no official weight.

Also every other sane security standard/audit list/etc I'm aware of calls
out NTP as being required, e.g. from the CSA CAIQ "Clock Synchronization
SA-12 SA-12.1 Do you utilize a synchronized time-service protocol (ex. NTP)
to ensure all systems have a common time reference?"

So on the one hand we have official DISA STIG REQUIREMENTS, and virtually
every security standard I'm aware of saying you must synchronize using NTP,
or failing that use ntpdate as a fallback, vs. a "Hardening Tips" document
that carries no official weight.

So it looks like the best course of actions would be to enable some sort of
clock synchronization daemon by default with an install option (through GUI
and kickstart) to turn it off and a post install option to turn it off
(e.g. normal systemd tools). All of which conveniently exist already =).




> [1] Leaving aside whether such a recommendation is well justified.
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



-- 
Kurt Seifried
kurt at seifried.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130719/b3fdeb56/attachment.html>

More information about the devel mailing list