Re-adding the missing NTP default vars

Some of the NTP defaults used to deploy chrony were shared between
both the RHEL6 and RHEL7 STIG tasks, however the required defaults
for these vars were removed in
Iaae52c97a35d82dd807ef78a1a6593ce3aa33540.

Since they are still needed by the RHEL7 STIG chrony deployment
we will need to add them back.

I also removed a reference to "security_disable_ipv6" in the chrony
config file which was used to determine if Chrony should bind ::1 for
its management socket. Since the "security_disable_ipv6" var no longer
exists, we will unconditionally bind the ::1 management address.

Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19
This commit is contained in:
Logan V 2017-09-13 00:30:08 -05:00
parent 422a865392
commit 2a4875f2cd
2 changed files with 8 additions and 2 deletions

View File

@ -266,6 +266,14 @@ security_ntp_servers:
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
# Chrony limits access to clients that are on certain subnets. Adjust the
# following subnets here to limit client access to chrony servers.
security_allowed_ntp_subnets:
- 10/8
- 192.168/16
- 172.16/12
# Listen for NTP requests only on local interfaces.
security_ntp_bind_local_interfaces_only: yes
# Restrict mail relaying.
security_rhel7_restrict_mail_relaying: yes # V-72297
# Deploy a login banner. # V-72225 / V-71863

View File

@ -98,7 +98,5 @@ rtconutc
# Listen for NTP requests only on local interfaces.
port 0
bindcmdaddress 127.0.0.1
{% if not security_disable_ipv6 | bool %}
bindcmdaddress ::1
{% endif %}
{% endif %}