Red Hat Leap Second Patch: Security Risks

TL;DR

Yes, not installing the leap second patch on Red Hat systems can cause serious problems, including time discrepancies that lead to security vulnerabilities. These issues stem from how software handles the extra second added to UTC and can affect authentication, logging, and overall system stability.

Understanding the Problem

Leap seconds are occasionally added to Coordinated Universal Time (UTC) to keep it aligned with astronomical time. Historically, this was handled by applying a negative duration adjustment to the system clock. However, this method can cause issues in modern systems because of how many applications and services now rely on monotonic clocks for accurate timing.

Security Implications

1. Authentication Issues: Time-based one-time passwords (TOTP) are common for two-factor authentication. If your system clock is significantly off, TOTP codes will be incorrect, locking users out of accounts.
2. Log File Corruption/Inconsistency: Incorrect timestamps on log files make it difficult to investigate security incidents accurately. You might miss critical events or misinterpret the order in which things happened.
3. Certificate Validation Failures: SSL/TLS certificates have validity periods defined by dates and times. A skewed clock can cause certificate validation to fail, disrupting secure connections.
4. Job Scheduling Problems: Cron jobs and other scheduled tasks rely on accurate timekeeping. If the clock is wrong, these tasks might not run when expected or could run multiple times.
5. Database Replication Issues: Time-sensitive database operations (like replication) can fail if clocks are out of sync between servers. This can lead to data inconsistencies and potential security breaches.

Solution: Installing the Patch

Red Hat provides a patch specifically designed to handle leap seconds correctly. Here’s how to install it:

1. Check Your Red Hat Version: Determine which version of Red Hat Enterprise Linux (RHEL) you are running.

   cat /etc/redhat-release

2. Install the chrony Package: This is the recommended way to manage time on RHEL systems. If it’s not already installed:

   sudo yum install chrony

3. Configure chrony: Edit the /etc/chrony.conf file.
   • Ensure that your system is synchronising with reliable NTP servers. Example configuration:

     server pool.ntp.org iburst
     server time.google.com iburst
     allow 192.168.1.0/24 # Allow local network access (adjust as needed)

   • The default configuration usually works well, but review it to ensure it meets your needs.
4. Start and Enable chronyd: This starts the chrony daemon and ensures it runs on boot.

   sudo systemctl start chronyd
   sudo systemctl enable chronyd

5. Verify Chrony Status: Check that chrony is synchronising correctly.

   chronyc sources -v

   Look for servers with an asterisk (*) next to them, indicating they are being used for time synchronization.

6. Check System Time: Verify the system time after chrony has been running for a while.

   date

Ongoing Maintenance

• Regular Updates: Keep your system patched with the latest security updates, including those related to chrony.
• Monitor Time Drift: Regularly check that your system time remains accurate and synchronised.