From 90dce6a30b122752fefdc771c7e22e254ad7443c Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 8 Aug 2023 21:08:20 -0700 Subject: [PATCH] Update Chrony configurations --- content/posts/linux/Desktop Linux Hardening.md | 7 +++++++ .../macos/Secure Time Synchronization on macOS.md | 12 +++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index a044dfc..75d097b 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -388,6 +388,13 @@ If decide on using NTS with chronyd, consider using multiple, independent time p GrapheneOS uses a [quite nice chrony configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) for their infrastructure. I recommend that you replicate their `chrony.conf` on your system. +You should also enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`: + +``` +# Command-line options for chronyd +OPTIONS="-F 1" +``` + ![Verifying NTS configuration](/images/nts.png) ### Pluggable Authentication Modules (PAM) diff --git a/content/posts/macos/Secure Time Synchronization on macOS.md b/content/posts/macos/Secure Time Synchronization on macOS.md index c3ed836..b7070f9 100644 --- a/content/posts/macos/Secure Time Synchronization on macOS.md +++ b/content/posts/macos/Secure Time Synchronization on macOS.md @@ -103,6 +103,9 @@ server ptbtime1.ptb.de iburst nts minsources 2 authselectmode require +# EF +dscp 46 + driftfile /var/lib/chrony/drift ntsdumpdir /var/lib/chrony @@ -117,7 +120,14 @@ cmdport 0 allow 10.0.2.2/32 ``` -If you are confused about what this configuration is doing, here are some quick explanations: +Optionally, you can enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`: + +``` +# Command-line options for chronyd +OPTIONS="-F 1" +``` + +If you are confused about what these configurations are doing, here are some quick explanations: * We get our time from 4 different sources: