Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
OpenShift must use internal system clocks to generate audit record time stamps.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257525 | CNTR-OS-000230 | SV-257525r921518_rule | Medium |
| Description |
|---|
| Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock. |
| STIG | Date |
|---|---|
| Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide | 2023-08-28 |
Details
| Check Text ( C-61260r921516_chk ) |
|---|
| Verify the chronyd service is enabled and active by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; systemctl is-enabled chronyd.service; systemctl is-active chronyd.service' 2>/dev/null; done If the auditd service is not "enabled" and "active", this is a finding. |
| Fix Text (F-61184r921517_fix) |
|---|
| Apply the machine config to use internal system clocks for audit records by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: 80-chronyd-service-enable-$mcpool labels: machineconfiguration.openshift.io/role: $mcpool spec: config: ignition: version: 3.1.0 systemd: units: - name: chronyd.service enabled: true " | oc apply -f - done |