Require at least one configured ntp server

Here’s another entry in our series of examples on how to use the new string presence check in Halo: how to make sure NTP has at least one server configured.  For an introduction to this new feature, please see our previous Introduction to Search Expressions post.

The previous examples in this series are all looking for things that shouldn’t be on the system; let’s look for some things that should be there.

On some cloud servers it may be appropriate to configure the NTP daemon to synchronize the server clock (*).  To make sure NTP has at least one server configured, we can look for a line like:


in /etc/ntp.conf.  Since “server” needs to be at the beginning of the line, we’ll place a “^” as the first character.  Since we’ll allow any number of spaces or tabs (or even a mix), we use “s+” next.  The plus sign (“+”) says “I need at least one of the preceding object (whitespace in this example), but I’ll match multiple whitespace characters too.”  After that, I need a hostname or IP address, and since those start with an alphanumeric character, I’ll just ask for “w” (any alphanumeric character) and assume the rest of the line is a valid hostname or IP address.  Here’s our final check:

/etc/ntp.conf Contains ^servers+w

* If the cloud provider already synchronizes the host machine’s clock with NTP, it may not be appropriate to run NTP on those cloud servers.  Vmware has an excellent whitepaper on timekeeping in virtual machines that’s worth a read even if your cloud servers don’t run on vmware.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts