Ack -Kevin
On Aug 13, 2012, at 3:47 PM, Jeffrey Blank <[email protected]> wrote: > > Signed-off-by: Jeffrey Blank <[email protected]> > --- > RHEL6/input/services/ntp.xml | 104 ++++++++++++++++++++---------------------- > 1 files changed, 50 insertions(+), 54 deletions(-) > > diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml > index c1acd4a..c87fedf 100644 > --- a/RHEL6/input/services/ntp.xml > +++ b/RHEL6/input/services/ntp.xml > @@ -16,81 +16,77 @@ prevent certain types of attacks. If your network does > not have > synchronized time, these protocols may be unreliable or even > unusable. > <br /><br /> > -Depending on the specifics of the network, global time > -accuracy may be just as important as local synchronization, or not > -very important at all. If your network is connected to the > -Internet, it is recommended that you make use of a public > -timeserver, since globally accurate timestamps may be necessary if > -you need to investigate or respond to an attack which originated > -outside of your network. > +Depending on the specifics of the network, global time accuracy may be just > as > +important as local synchronization, or not very important at all. If your > +network is connected to the Internet, it is recommended that you make use of > a > +public timeserver or one provided by your enterprise or agency, since > globally > +accurate timestamps may be necessary if you need to investigate or respond to > +an attack which originated outside of your network. > <br /><br /> > -Whether or not you use an outside timeserver, configure the > -network to have a small number of machines operating as NTP > +A typical network setup involves a small number of internal systems > operating as NTP > servers, and the remainder obtaining time information from those > -internal servers.</description> > - > -<Group id="configuring_ntpd"> > -<title>Configure an NTP Server</title> > -<description>The site's NTP server contacts a central NTP server, > -probably either one provided by your ISP or a public time server, > -to obtain accurate time data. The server then allows other machines > -on your network to request the time data. > +internal servers. > <br /><br /> > -The NTP server configuration file is located at > <tt>/etc/ntp.conf</tt>.</description> > -<Group id="enabling_ntpd"> > -<title>Enable the NTP Daemon</title> > -<description>If this machine is an NTP server, ensure that <tt>ntpd</tt> is > enabled at boot time.</description> > +More information on how to configure the NTP server software, > +including configuration of cryptographic authentication for > +time data, is available at http://www.ntp.org. > +</description> > > <Rule id="enable_ntpd"> > <title>Enable the NTP Daemon</title> > <description> > <service-enable-macro service="ntpd" /> > </description> > -<rationale> Enabling the <tt>ntpd</tt> service ensures that the local system > -time will be the same on all computers. This is essential for authentication > +<rationale>Enabling the <tt>ntpd</tt> service ensures that the <tt>ntpd</tt> > +service will be running and that the system will synchronize its time to > +any servers specified. This is important whether the system is configured to > be > +a client (and synchronize only its own clock) or it is also acting as an NTP > +server to other systems. Synchronizing time is essential for authentication > services such as Kerberos, but it is also important for maintaining accurate > logs and auditing possible security breaches.</rationale> > <ident cce="4376-0" /> > <oval id="service_ntpd_enabled" /> > <ref disa="160" /> > </Rule> > -</Group> > - > -<Group id="configuring_ntpd_client"> > -<title>Specify a Remote NTP Server for Time Data</title> > -<description>Find the IP address of an appropriate remote NTP server and > -configure <tt>ntpd</tt> to use it to obtain accurate time data. If your site > -does not require time data to be accurate, but merely to be synchronized > among > -local machines, this step can be omitted, and the NTP server will default to > -providing time data from the local clock. However, it is a good idea to > -periodically synchronize the clock to some source of accurate time, even if > it > -is not appropriate to do so automatically.</description> > > <Rule id="ntpd_specify_remote_server"> > -<title>Specify a Remote NTP Server for Time Data</title> > -<description>A remote NTP Server for time synchronization should be > specified. > -Edit the file <tt>/etc/ntp.conf</tt>, and add or correct the following lines, > -substituting the IP address of a remote NTP server for <em>server-ip</em>: > -<pre>restrict server-ip mask 255.255.255.255 nomodify notrap noquery server > -server-ip</pre> This NTP server must contact a remote server to obtain > accurate > -data, so NTP's configuration must allow that remote data to be used to modify > -the system clock. The restrict line changes the default access permissions > for > -that remote server. The server line specifies the remote server as the > -preferred NTP server for time data. If you intend to synchronize to more than > -one server, specify restrict and server lines for each server. > -<br /><br /> > -Note: It would be possible to specify a hostname, rather than an IP address, > -for the server field. However, the restrict setting applies only to network > -blocks of IP addresses, so it is considered more maintainable to use the IP > -address in both fields.</description> > -<rationale> Synchonizing <tt>ntpd</tt> with an accurate clock makes it easier > +<title>Specify a Remote NTP Server</title> > +<description>To specify a remote NTP server for time synchronization, edit > +the file <tt>/etc/ntp.conf</tt>. Add or correct the following lines, > +substituting the IP or hostname of a remote NTP server for > <em>ntpserver</em>: > +<pre>server <i>ntpserver</i></pre> > +This instructs the NTP software to contact that remote server to obtain time > +data. > +</description> > +<rationale> Synchronizing with an NTP server makes it possible > to collate system logs from multiple sources or correlate computer events with > -real time events.</rationale> > +real time events. Using a trusted NTP server provided by your organization is > +recommended.</rationale> > <ident cce="4385-1" /> > <oval id="ntp_remote_server" /> > <ref disa="160" /> > </Rule> > -</Group> > -</Group> > + > + > +<Rule id="ntpd_specify_multiple_servers"> > +<title>Specify Additional Remote NTP Servers</title> > +<description>Additional NTP servers can be specified for time synchronization > +in the file <tt>/etc/ntp.conf</tt>. To do so, add additional lines of the > +following form, substituting the IP address or hostname of a remote NTP > server for > +<em>ntpserver</em>: > +<pre>server <i>ntpserver</i></pre> > +</description> > +<rationale>Specifying additional NTP servers increases the availability of > +accurate time data, in the event that one of the specified servers becomes > +unavailable. This is typical for a system acting as an NTP server for > +other systems. > +</rationale> > +</Rule> > + > +<!-- future Rules (for later profiles/enhancements): > +ensuring use of the restrict keyword > +enabling cryptographic authentication (multiple options) > +--> > + > </Group> > > -- > 1.7.1 > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
