mediumservicesverified ✓rollback-safe
Ensure chrony is not acting as a network time server
chrony-server-disabled · RHEL ≥ 8 · 1 impl
Description
The chrony daemon must not be configured to act as a network time server (NTP server) unless the system is specifically designated as a time server. The chrony.conf file must not contain a port directive that enables NTP server mode.
Rationale
A system that provides unauthorized NTP service could be used to manipulate time on other systems, affecting audit log integrity and authentication. Only designated time servers should provide NTP service.
Check → Remediate
Checkconfig_value
- path:
- /etc/chrony.conf
- key:
- port
- expected:
- 0
- delimiter:
Remediateconfig_set
- path:
- /etc/chrony.conf
- key:
- port
- value:
- 0
- separator:
- restart:
- chronyd
Framework references
STIG
V-280960 / RHEL-10-200542V-257946 / RHEL-09-252025V-230485
NIST 800-53
CM-7AU-8
Live verification
rhel8:check
#chrony#ntp#server#time