commit e0e08eb59b52b7727744c996935c14599b883238
author Dmitry Teselkin <dteselkin@mirantis.com> Mon Feb 19 22:37:34 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Tue Apr 17 08:57:40 2018 +0000
tree 5cb9f35d7dafd1d46466e2be1db8c2466666db69
parent e1b5dafe4190b09e707c72f329622c9f0f0bcccd

CIS 2.2.1.2 compliance

CIS 2.2.1.2 requres a specific flags to be set by default.

These flags are the following:

  restrict -4 default kod nomodify notrap nopeer noquery
  restrict -6 default kod nomodify notrap nopeer noquery

The -4 in the first line is optional and options after default can
appear in any order. Additional restriction lines may exist.

This request makes ntp.conf configuration compliant with CIS 2.2.1.2

CIS Benchmark: https://goo.gl/FcLKL4 (Ubuntu 16.04)

Change-Id: I8fc4917918bd604706b59342bfa658996825231d
Related-Prod: PROD-17289

ntp/files/ntp.conf

diff --git a/ntp/files/ntp.conf b/ntp/files/ntp.conf
index df8db2c..8ba076e 100644
--- a/ntp/files/ntp.conf
+++ b/ntp/files/ntp.conf
@@ -70,8 +70,11 @@
 {%- endif %}
 {%- endif %}
 
+# Exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
 # Only allow read-only access from localhost
-restrict default noquery nopeer
 restrict 127.0.0.1
 restrict ::1
 
@@ -90,13 +93,8 @@
 {%- for r in server.get('restrict', {}) %}
 restrict {{ r.subnet }} mask {{ r.mask }} {{ r.options|default('nomodify notrap nopeer') }}
 {%- endfor %}
-
-# Exchange time with everybody, but don't allow configuration.
-#restrict -4 default kod notrap nomodify nopeer noquery
-#restrict -6 default kod notrap nomodify nopeer noquery
 {%- endif %}
 
-
 # Location of drift file
 driftfile /var/lib/ntp/ntp.drift
 logfile /var/log/ntp.log