Merge "Add new parameter 'security_ntp_bind_local_interfaces_only'"

This commit is contained in:
Jenkins 2016-05-27 12:52:11 +00:00 committed by Gerrit Code Review
commit a73aee2fc9
4 changed files with 23 additions and 3 deletions

View File

@ -138,6 +138,8 @@ security_allowed_ntp_subnets:
- 10/8 - 10/8
- 192.168/16 - 192.168/16
- 172.16/12 - 172.16/12
# Listen for NTP requests only on local interfaces.
security_ntp_bind_local_interfaces_only: yes
## Core dumps ## Core dumps
# V-38675 requires disabling core dumps for all users unless absolutely # V-38675 requires disabling core dumps for all users unless absolutely

View File

@ -228,9 +228,14 @@ openstack-ansible-security role.
The default settings will work for most environments, but some deployers may The default settings will work for most environments, but some deployers may
prefer to use NTP servers which are geographically closer to their servers. prefer to use NTP servers which are geographically closer to their servers.
Also, the default configuration allows `RFC1918`_ addresses to reach the NTP
server running on each host. That could be reduced to ``127.0.0.1/32`` for The role configures the chrony daemon to listen only on localhost. To allow
greater security. chrony to listen on all addresses (the upstream default for chrony),
set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
The default configuration allows `RFC1918`_ addresses to reach the NTP server
running on each host. That could be changed by using the
``security_allowed_ntp_subnets`` parameter.
.. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces .. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces

View File

@ -0,0 +1,5 @@
---
features:
- A new configuration parameter ``security_ntp_bind_local_interfaces`` was
added to the security role to restrict the network interface to which
chronyd will listen for NTP requests.

View File

@ -93,3 +93,11 @@ logchange 0.5
# chrony postinst based on what it found in /etc/default/rcS. You may # chrony postinst based on what it found in /etc/default/rcS. You may
# change it if necessary. # change it if necessary.
rtconutc rtconutc
{% if security_ntp_bind_local_interfaces_only | bool %}
# Listen for NTP requests only on local interfaces.
bindaddress 127.0.0.1
{% if not security_disable_ipv6 | bool %}
bindaddress ::1
{% endif %}
{% endif %}