Article Number
000032169
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Broker, Concentrator, Decoder, Log Decoder, Log Collector, ESA, Archiver, Malware Analysis
RSA Version/Condition: 10.5.1
Issue
As of version 10.5.1 a change to the handling of NTP time sources has been implemented in the Security Analytics stack. Going forward, all SA core appliances will be automatically configured with the SA server as their only NTP source. The SA server is in turn configured with additional NTP sources.
In some customer environments there are restrictive firewall rules between data centers and there is a possibility that core appliances will not be able to access the SA server as an NTP source.
Under this new configuration the SA server becomes a single point of failure for NTP sync.
Resolution
If necessary a puppet module on the SA server can be modified to add additional NTP sources to core appliances.
The necessary steps for performing this change are listed below.
- Open the following file in a text editor: /etc/puppet/modules/base/manifests/init.pp
- Find the section below:
} else { # Agents' NTP point to puppetmaster.local
$ntp_server = ['puppetmaster.local']
class { '::ntp':
servers => [$ntp_server],
keys_enable => true,
iburst_enable => true,
}
}
}
- Modify the line "$ntp_server = ['puppetmaster.local']" to include additional NTP sources similar to the following example:
} else { # Agents' NTP point to puppetmaster.local
$ntp_server = ['puppetmaster.local','10.20.30.20','someNTPserverName']
class { '::ntp':
servers => [$ntp_server],
keys_enable => true,
iburst_enable => true,
}
}
}
- Save changes and exit.
Upon the next run of puppet agent on core appliances the NTP change will be applied and the nptd service will be automatically restarted.
To quickly verify the affect of the changes:
- Connect to a core appliance via SSH as the root user and issue the command below.
puppet agent -t
- Once the puppet agent completes, cat ntp.conf and verify that the additional time server have been added.
cat /etc/ntp.conf
The following is sample output of the ntp.conf file:
# Set up servers for ntpd with next options:
# server - IP address or DNS name of upstream NTP server
# iburst - allow send sync packages faster if upstream unavailable
# prefer - select preferrable server
# minpoll - set minimal update frequency
# maxpoll - set maximal update frequency
server puppetmaster.local iburst
server 10.20.30.20 iburst
server someNTPserverName iburst
- To further verify the change, the following commands can be used:
ntpq -p
ntpstat
Notes
Any changes to /etc/puppet/modules/base/manifests/init.pp will likely be lost on subsequent upgrades.
Therefore, the workaround would need to be reapplied after an upgrade.