On 10/24/13, 1:44 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
It would be nice if the prose/check allowed for cases where you have a "multicastclient" line in ntp.conf and servers defined in step-tickers, for large sites that don't want every client going directly to the NTP servers. Though I wonder if there are very many sites fitting this description (or I should just get over it and write a PoA&M for this one).FWIW, this would fall under the case of "ntpd enabled but servers not defined in ntp.conf". Ideally, I wish we could simply use ntpstat to answer one rule ("is NTP actually working?"), as you could easily have broken servers defined and ntpd running but no time synchronization. That's not the way the rules are currently spelled out, though, and I'm not sure if OVAL can do that.
I tried stracing ntpstat to figure out what it was doing. There doesn't seem to be a clear "grep this file for this regex" approach we could take...
OVAL could be updated to check if multicast & step-tickets are configured, and pass if so. Want to take a stab at it? :)
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
