From 3114703ebb1e95d25f835d035e3cbad96ebc7b9a Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@betacloud-solutions.de>
Date: Thu, 19 May 2016 13:51:40 +0200
Subject: [PATCH] Add new parameter 'security_ntp_bind_local_interfaces_only'

With the parameter 'security_ntp_bind_local_interfaces_only' it is possible
to configure if chronyd should listen on all available network interfaces for
NTP requests.

Change-Id: I7e56d60df7c7214e753d1ca86aceed05849addef
---
 defaults/main.yml                                     |  2 ++
 doc/source/configuration.rst                          | 11 ++++++++---
 ...p-bind-local-interfaces-only-05f03de632e81097.yaml |  5 +++++
 templates/chrony.conf.j2                              |  8 ++++++++
 4 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 311db9ac..52492d74 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -138,6 +138,8 @@ security_allowed_ntp_subnets:
   - 10/8
   - 192.168/16
   - 172.16/12
+# Listen for NTP requests only on local interfaces.
+security_ntp_bind_local_interfaces_only: yes
 
 ## Core dumps
 # V-38675 requires disabling core dumps for all users unless absolutely
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 1715bc98..d8a4df5c 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -218,9 +218,14 @@ openstack-ansible-security role.
 
 The default settings will work for most environments, but some deployers may
 prefer to use NTP servers which are geographically closer to their servers.
-Also, the default configuration allows `RFC1918`_ addresses to reach the NTP
-server running on each host. That could be reduced to ``127.0.0.1/32`` for
-greater security.
+
+The role configures the chrony daemon to listen only on localhost. To allow
+chrony to listen on all addresses (the upstream default for chrony),
+set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
+
+The default configuration allows `RFC1918`_ addresses to reach the NTP server
+running on each host. That could be changed by using the
+``security_allowed_ntp_subnets`` parameter.
 
 .. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
 
diff --git a/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml
new file mode 100644
index 00000000..464d5f76
--- /dev/null
+++ b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - A new configuration parameter ``security_ntp_bind_local_interfaces`` was
+    added to the security role to restrict the network interface to which
+    chronyd will listen for NTP requests.
\ No newline at end of file
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
index d8042cc7..f1a0eece 100644
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@@ -91,3 +91,11 @@ logchange 0.5
 # chrony postinst based on what it found in /etc/default/rcS.  You may
 # change it if necessary.
 rtconutc
+
+{% if security_ntp_bind_local_interfaces_only | bool %}
+# Listen for NTP requests only on local interfaces.
+bindaddress 127.0.0.1
+{% if not security_disable_ipv6 | bool %}
+bindaddress ::1
+{% endif %}
+{% endif %}