MEDIUM RHCOS (Node) M25: Chrony/NTP Configuration P3

Pending Compare Branch

Remediation required. This group (4 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Hardens time synchronization by restricting chrony to client-only mode, disabling the chronyc network interface, setting maximum poll intervals, and requiring multiple NTP servers for resilience.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
client-only Restrict chrony to client mode (no serving)
no-chronyc-network Disable chronyc network command interface
or-ntpd-set-maxpoll Set maximum NTP polling interval
or-ntpd-specify-multiple-servers Require multiple NTP servers

Verification

oc debug node/<node> -- chroot /host chronyc sources

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

maxpoll 10, multiple NTP servers Site Low
openshift/machine-config-operator MCO chrony config template
MCO generates chrony.conf at install time. maxpoll and server list are deployment-specific. Template should set maxpoll=10 by default.
Scope: NTP server addresses and maxpoll intervals are site-specific. MCO template could default maxpoll=10 but server list must be configured per deployment.

PR History

maxpoll 10, multiple NTP servers Not Filed blocked
coreos/rhel-coreos-config
NTP server selection and chrony configuration are inherently site-specific. FCOS defaults to Fedora NTP pools but enterprise environments need internal time sources for PCI compliance (fedora-coreos-tracker#517). maxpoll=10 (1024s) is already the chrony default. port=0/cmdport=0 disables chrony listening which breaks NTP server functionality if the node needs to serve time. FCOS chrony config handling has known conflicts with user modifications (fedora-coreos-tracker#1449).
coreos/fedora-coreos-tracker/issues/517 coreos/fedora-coreos-tracker/issues/1449 mlichvar/chrony/blob/master/doc/faq.adoc
← M24 All Groups M26 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only