openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/metadata/rhel7/RHEL-07-040210.rst
Major Hayden 14fa6e5060 Enable chrony [+Docs] 
This patch enables chrony and performs basic configuration to meet the
STIG requirements.

These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
2016-12-09 10:32:24 +00:00

665 B
Raw Blame History

---id: RHEL-07-040210 status: implemented tag: misc ---

The tasks in the security role make the following changes on each host:

  • The chrony package is installed.
  • The service (chronyd on Red Hat and CentOS, chrony on Ubuntu) is started and enabled at boot time.
  • A configuration file template is deployed that includes maxpoll 10 on each server line.

Deployers can opt out of these changes by setting the following Ansible variable:

security_rhel7_enable_chrony: no

Note

Although the STIG mentions the traditional ntpd service, this role uses chrony, which is a more modern implementation.