OpenShift must use internal system clocks to generate audit record time stamps.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257525 | CNTR-OS-000230 | SV-257525r960927_rule | CCI-000159 | medium |
| Description | ||||
| Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock. | ||||
| STIG | Date | |||
| Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide | 2025-05-15 | |||
Details
Check Text (C-257525r960927_chk)
Verify the chronyd service is enabled and active by executing the following:
for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; systemctl is-enabled chronyd.service; systemctl is-active chronyd.service' 2>/dev/null; done
If the auditd service is not "enabled" and "active", this is a finding.
Fix Text (F-61184r921517_fix)
Apply the machine config to use internal system clocks for audit records by executing the following:
for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 80-chronyd-service-enable-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: chronyd.service
enabled: true
" | oc apply -f -
done