What is a chrony.conf configuration which reflects all security features of my ntp.conf ?
Issue
I need to generate a standard /etc/chrony.conf
file which will be routinely deployed on all RHEL7 servers via puppet. Historically, the default pre-RHEL7 ntp /etc/ntp.conf
file that we have been deploying has been as follows:
driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
broadcastdelay 0.008
server <server1>
server <server2>
I have subsequently formed the following /etc/chrony.conf
file. Could you please sanity check this file for correctness? Also, in respect to the chronyd options, I didn’t really come across an equivalent as such of the ntp line that I know is recommended as a security standard:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Can I be confident that the chronyd defaults (and what I have put in place in the proposed conf file) would configure chronyd to a similarly secure level? For example, I do not see any Redhat chrony doc references to kod - kiss of death packets:
server <server1>
server <server2>
driftfile /var/lib/chrony/drift
makestep 10 3
logchange 0.5
logdir /var/log/chrony
bindcmdaddress 127.0.0.1
bindcmdaddress -6 ::1
rtcsync
keyfile /etc/chrony.keys
generatecommandkey
Environment
- Red Hat Enterprise Linux (RHEL) 7
- chrony
- NTP protocol
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.