Initial support for ntp service via chronyd

setup/so-functions

@@ -486,6 +486,17 @@ collect_node_ls_pipeline_worker_count() {
 	done
 }
 
+collect_ntp_servers() {
+	if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then
+		if whiptail_ntp_ask; then
+			[[ $is_airgap ]] && ntp_servers=""
+			whiptail_ntp_servers "$ntp_servers"
+		else
+			ntp_servers=""
+		fi
+	fi
+}
+
 collect_oinkcode() {
 	whiptail_oinkcode
 
@@ -702,6 +713,38 @@ configure_minion() {
 	} >> "$setup_log" 2>&1
 }
 
+configure_ntp() {
+	local chrony_conf=/etc/chrony.conf
+
+	# Install chrony if it isn't already installed
+	if command -v chronyc &> /dev/null; then
+		if [ "$OS" == centos ]; then
+			yum -y install chrony
+		else
+			retry 50 10 "apt-get -y install chrony" || exit 1
+		fi
+	fi
+
+	[[ -f $chrony_conf ]] && rm -f $chrony_conf
+
+	# Build list of servers
+	for addr in "${ntp_servers[@]}"; do
+		echo "server $addr iburst" >> $chrony_conf
+	done
+
+	printf '%s\n' \
+		'driftfile /var/lib/chrony/drift' \
+		'makestep 1.0 3' \
+		'rtcsync' \
+		'logdir /var/log/chrony' >> $chrony_conf
+
+	systemctl enable chronyd
+	systemctl start chronyd
+
+	# Sync time
+	chronyc -a makestep
+}
+
 checkin_at_boot() {
 	local minion_config=/etc/salt/minion
 
@@ -709,6 +752,12 @@ checkin_at_boot() {
 	echo "startup_states: highstate" >> "$minion_config"
 }
 
+check_ntp_configured() {
+	if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then
+		ntp_configured=true
+	fi
+}
+
 check_requirements() {
 	local standalone_or_dist=$1
 	local node_type=$2 # optional
@@ -1564,12 +1613,16 @@ manager_global() {
 		"global:"\
 		"  soversion: '$SOVERSION'"\
 		"  hnmanager: '$HNMANAGER'"\
-		"  ntpserver: '$NTPSERVER'"\
 		"  dockernet: '$DOCKERNET'"\
 		"  mdengine: '$ZEEKVERSION'"\
 		"  ids: '$NIDS'"\
 		"  url_base: '$REDIRECTIT'"\
-		"  managerip: '$MAINIP'" > "$global_pillar"
+		"  managerip: '$MAINIP'"
+		"  ntp_servers:" > "$global_pillar"
+
+	for addr in "${ntp_servers[@]}"; do
+		echo "    - '$addr'" >> "$global_pillar"
+	done
 	
 	if [[ $is_airgap ]]; then
 		printf '%s\n'\

setup/so-setup

@@ -534,6 +534,9 @@ if [[ $is_sensor && ! $is_eval ]]; then
 	fi
 fi
 
+check_ntp_configured
+[[ -z $ntp_configured ]] || collect_ntp_servers
+
 if [[ $is_node && ! $is_eval ]]; then
 	whiptail_node_advanced
 	if [ "$NODESETUP" == 'NODEADVANCED' ]; then
@@ -581,6 +584,8 @@ set_redirect >> $setup_log 2>&1
 	# Show initial progress message
 	set_progress_str 0 'Running initial configuration steps'
 
+	[[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1
+
 	reserve_ports
 	
 	set_path

setup/so-variables

@@ -72,3 +72,6 @@ export install_opt_file
 
 net_init_file=/root/net_init
 export net_init_file
+
+ntp_servers="0.pool.ntp.org,1.pool.ntp.org"
+export ntp_servers

setup/so-whiptail

@@ -1105,6 +1105,24 @@ whiptail_node_ls_pipeline_worker() {
 
 }
 
+whiptail_ntp_ask() {
+	[ -n "$TESTING" ] && return
+
+	whiptail --title "Security Onion Setup" --yesno "Would you like to configure ntp servers?" 7 44
+}
+
+whiptail_ntp_servers() {
+	[ -n "$TESTING" ] && return
+
+	ntp_string=$(whiptail --title "Security Onion Setup" \
+		--inputbox "Input the NTP server(s) you would like to use, separated by commas:" 8 75 "$1" 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+	IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array
+}
+
 whiptail_oinkcode() {
 
 	[ -n "$TESTING" ] && return