Re: F20 Self Contained Change: Remove deprecated calls of using ntpdate in favor of ntpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 19, 2013 at 2:37 PM, Miloslav Trmač <mitr@xxxxxxxx> wrote:
On Wed, Jul 17, 2013 at 12:43 PM, Jaroslav Reznik <jreznik@xxxxxxxxxx> wrote:
> = Proposed Self Contained Change: Remove deprecated calls of using ntpdate in
> favor of ntpd =
> https://fedoraproject.org/wiki/Changes/ntpdate

Given what has been discussed/learned in this thread, it seems that
the change proposal needs some changes (and perhaps another round of
discussion?).

Probably. 

Looking at the rationale, I wonder how the things that have been
discussed so far (replacement of ntpd with chrony, and ntpdate with
sntp) make a difference with respect to the hardening recommendations
- perhaps such changes would help avoid the letter of the
recommendations, but what about the substance?  For example in
http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf, I
really doubt the intent was to exclude specifically a daemon named
ntpd - rather the intent was most likely to avoid running a daemon at
all[1], so just using chrony instead of ntpd wouldn't make a
substantial difference.
    Mirek

On the other hand the DISA STIG (http://iase.disa.mil/stigs/scap/) content for RHEL 5 and 6 says it must be enabled, or 

RHEL 5:
SV-37402r1_rule The system clock must be synchronized to an authoritative DoD time source.
it then goes on to talk about how to make sure ntpd/xntpd is running, or failing that that ntpdate is run from a cronjob.

RHEL 6:
SV-50421r1_rule The system clock must be synchronized continuously, or at least daily.
 
I also checked the AIX/other UNIX stigs, they all basically say "The system clock must be synchronized continuously, or at least daily." with a preference given to ntpd/etc., also

"NOTE: While it is possible to run ntpdate from a cron script, it is important to mention that ntpdate with contrived cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use."

So I would say DISA STIG REQUIREMENTS (e.g. to CERTIFY a system) outweigh NSA "Hardening Tips" which AFAIK carry no official weight.

Also every other sane security standard/audit list/etc I'm aware of calls out NTP as being required, e.g. from the CSA CAIQ "Clock Synchronization SA-12 SA-12.1 Do you utilize a synchronized time-service protocol (ex. NTP) to ensure all systems have a common time reference?"

So on the one hand we have official DISA STIG REQUIREMENTS, and virtually every security standard I'm aware of saying you must synchronize using NTP, or failing that use ntpdate as a fallback, vs. a "Hardening Tips" document that carries no official weight. 

So it looks like the best course of actions would be to enable some sort of clock synchronization daemon by default with an install option (through GUI and kickstart) to turn it off and a post install option to turn it off (e.g. normal systemd tools). All of which conveniently exist already =).




[1] Leaving aside whether such a recommendation is well justified.



--
Kurt Seifried
kurt@xxxxxxxxxxxx
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux