MEDIUM RHCOS (Node) M25: Chrony/NTP Configuration P3
Remediation required. This group (4 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Hardens time synchronization by restricting chrony to client-only mode, disabling the chronyc network interface, setting maximum poll intervals, and requiring multiple NTP servers for resilience.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
client-only |
Restrict chrony to client mode (no serving) |
no-chronyc-network |
Disable chronyc network command interface |
or-ntpd-set-maxpoll |
Set maximum NTP polling interval |
or-ntpd-specify-multiple-servers |
Require multiple NTP servers |
Verification
oc debug node/<node> -- chroot /host chronyc sources
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
maxpoll 10, multiple NTP servers |
Site | openshift/machine-config-operator | MCO chrony config template |
MCO generates chrony.conf at install time. maxpoll and server list are deployment-specific. Template should set maxpoll=10 by default.
Scope: NTP server addresses and maxpoll intervals are site-specific. MCO template could default maxpoll=10 but server list must be configured per deployment. |
Low |