ansible-hardening/templates/chrony.conf.j2
Shannon Mitchell 4cb2fa4eaa Enable ntp client functionality with chronyd
Using 'bindaddress' in the /etc/chrony/chrony.conf disables both
client and server ntp functionality as it cannot get the ntp
responses from peer servers.  The default install will leave the
servers unsynced with an ntp source causing them to skew over
time and eventually break services that rely on synced time.
Setting 'port 0' will disable the server functionality.  Using
'bindcmdaddress' will still chronc<->chronyd communictions over
localhost only.  This should allow client functionality and
disable server functionality.

Change-Id: Ie9b6e73333d9469a17e4cee06f21aa99b2b3df7e
Closes-Bug: #1656086
2017-02-24 16:15:23 +00:00

105 lines
3.6 KiB
Django/Jinja

# {{ ansible_managed }}
#
# This the default chrony.conf file for the Debian chrony package. After
# editing this file use the command 'invoke-rc.d chrony restart' to make
# your changes take effect. John Hasler <jhasler@debian.org> 1998-2008
# See www.pool.ntp.org for an explanation of these servers. Please
# consider joining the project if possible. If you can't or don't want to
# use these servers I suggest that you try your ISP's nameservers. We mark
# the servers 'offline' so that chronyd won't try to connect when the link
# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
# commands to switch it on when a dialup link comes up and off when it goes
# down. Code in /etc/init.d/chrony attempts to determine whether or not
# the link is up at boot time and set the online status accordingly. If
# you have an always-on connection such as cable omit the 'offline'
# directive and chronyd will default to online.
#
# Note that if Chrony tries to go "online" and dns lookup of the servers
# fails they will be discarded. Thus under some circumstances it is
# better to use IP numbers than host names.
{% for ntp_server in security_ntp_servers %}
server {{ ntp_server }} offline maxpoll 10 minpoll 8
{% endfor %}
# Look here for the admin password needed for chronyc. The initial
# password is generated by a random process at install time. You may
# change it if you wish.
keyfile /etc/chrony/chrony.keys
# Set runtime command key. Note that if you change the key (not the
# password) to anything other than 1 you will need to edit
# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
# and /etc/cron.weekly/chrony as these scripts use it to get the password.
commandkey 1
# I moved the driftfile to /var/lib/chrony to comply with the Debian
# filesystem standard.
driftfile /var/lib/chrony/chrony.drift
# Comment this line out to turn off logging.
log tracking measurements statistics
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Dump measurements when daemon exits.
dumponexit
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# Let computer be a server when it is unsynchronised.
local stratum 10
# Allow computers on the unrouted nets to use the server.
{% for subnet in security_allowed_ntp_subnets %}
allow {{ subnet }}
{% endfor %}
# This directive forces `chronyd' to send a message to syslog if it
# makes a system clock adjustment larger than a threshold value in seconds.
logchange 0.5
# This directive defines an email address to which mail should be sent
# if chronyd applies a correction exceeding a particular threshold to the
# system clock.
# mailonchange root@localhost 0.5
# This directive tells chrony to regulate the real-time clock and tells it
# Where to store related data. It may not work on some newer motherboards
# that use the HPET real-time clock. It requires enhanced real-time
# support in the kernel. I've commented it out because with certain
# combinations of motherboard and kernel it is reported to cause lockups.
# rtcfile /var/lib/chrony/chrony.rtc
# If the last line of this file reads 'rtconutc' chrony will assume that
# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent
# chrony will assume local time. The line (if any) was written by the
# chrony postinst based on what it found in /etc/default/rcS. You may
# change it if necessary.
rtconutc
{% if security_ntp_bind_local_interfaces_only | bool %}
# Listen for NTP requests only on local interfaces.
port 0
bindcmdaddress 127.0.0.1
{% if not security_disable_ipv6 | bool %}
bindcmdaddress ::1
{% endif %}
{% endif %}