|
 |
dac76a |
From b5379d0850f2ee366c7259512c74355d86babf2f Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 10 Mar 2020 19:05:57 +0100
|
|
|
dac76a |
Subject: [PATCH 01/10] create new chrony rules for CIS
|
|
|
dac76a |
|
|
|
dac76a |
add package_chrony_installed
|
|
|
dac76a |
add service_chronyd_enabled
|
|
|
dac76a |
add chrony_specify_remote_server
|
|
|
dac76a |
add default value to chrony_multiple_servers variable
|
|
|
dac76a |
---
|
|
|
dac76a |
.../bash/shared.sh | 9 +++++
|
|
|
dac76a |
.../oval/shared.xml | 15 ++++++++
|
|
|
dac76a |
.../chronyd_specify_remote_server/rule.yml | 35 +++++++++++++++++
|
|
|
dac76a |
.../ntp/package_chrony_installed/rule.yml | 34 +++++++++++++++++
|
|
|
dac76a |
.../ntp/service_chronyd_enabled/rule.yml | 38 +++++++++++++++++++
|
|
|
dac76a |
.../ntp/var_multiple_time_servers.var | 3 +-
|
|
|
dac76a |
shared/templates/extra_ovals.yml | 6 ---
|
|
|
dac76a |
7 files changed, 133 insertions(+), 7 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..ab9aab8732
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
|
|
|
dac76a |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
dac76a |
+populate var_multiple_time_servers
|
|
|
dac76a |
+
|
|
|
dac76a |
+config_file="/etc/chrony.conf"
|
|
|
dac76a |
+
|
|
|
dac76a |
+if ! grep -q ^server "$config_file" ; then
|
|
|
dac76a |
+ {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}}
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..0045c93a2d
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
@@ -0,0 +1,15 @@
|
|
|
dac76a |
+<def-group oval_version="5.11">
|
|
|
dac76a |
+ <definition class="compliance" id="chronyd_specify_remote_server" version="1">
|
|
|
dac76a |
+ <metadata>
|
|
|
dac76a |
+ <title>Specify Remote NTP chronyd Server for Time Data</title>
|
|
|
dac76a |
+ {{{- oval_affected(products) }}}
|
|
|
dac76a |
+ <description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</description>
|
|
|
dac76a |
+ </metadata>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <criteria comment="chronyd enabled and remote server specified" operator="AND">
|
|
|
dac76a |
+ <extend_definition comment="service chronyd enabled" definition_ref="service_chronyd_enabled" />
|
|
|
dac76a |
+ <extend_definition comment="chronyd remote server specified" definition_ref="chronyd_specify_remote_server" />
|
|
|
dac76a |
+ </criteria>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ </definition>
|
|
|
dac76a |
+</def-group>
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..062d382709
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,35 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'A remote NTP server for Chrony is configured'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
|
|
|
dac76a |
+ synchronize system clocks across a variety of systems and use a source that is highly
|
|
|
dac76a |
+ accurate. More information on chrony can be found at
|
|
|
dac76a |
+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
|
|
|
dac76a |
+ Chrony can be configured to be a client and/or a server.
|
|
|
dac76a |
+ Add or edit server or pool lines to <tt>/etc/chrony.conf</tt> as appropriate:
|
|
|
dac76a |
+ server <remote-server>
|
|
|
dac76a |
+ Multiple servers may be configured.
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ If chrony is in use on the system proper configuration is vital to ensuring time
|
|
|
dac76a |
+ synchronization is working properly.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+platform: machine
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel8: 82734-5
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel8: 2.2.1.2
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: 'The remote NTP server for Chrony is not configured'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ Run the following command and verify remote server is configured properly:
|
|
|
dac76a |
+ # grep -E "^(server|pool)" /etc/chrony.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..36cae252e0
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,34 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'The Chrony package is enabled'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ System time should be synchronized between all systems in an environment. This is
|
|
|
dac76a |
+ typically done by establishing an authoritative time server or set of servers and having all
|
|
|
dac76a |
+ systems synchronize their clocks to them.
|
|
|
dac76a |
+ You can install the package with the following command:
|
|
|
dac76a |
+ # dnf install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ Time synchronization is important to support time sensitive security mechanisms like
|
|
|
dac76a |
+ Kerberos and also ensures log files have consistent time records across the enterprise,
|
|
|
dac76a |
+ which aids in forensic investigations.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+platform: machine
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel8: 82730-3
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel8: 2.2.1.1
|
|
|
dac76a |
+
|
|
|
dac76a |
+{{{ complete_ocil_entry_package(package="chrony") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: package_installed
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ pkgname: chrony
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..37adcae640
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,38 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'The Chronyd service is enabled'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
|
|
|
dac76a |
+ synchronize system clocks across a variety of systems and use a source that is highly
|
|
|
dac76a |
+ accurate. More information on chrony can be found at
|
|
|
dac76a |
+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
|
|
|
dac76a |
+ Chrony can be configured to be a client and/or a server.
|
|
|
dac76a |
+ To enable Chronyd service, you can run:
|
|
|
dac76a |
+ <tt># systemctl enable chronyd.service</tt>
|
|
|
dac76a |
+ This recommendation only applies if chrony is in use on the system.
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ If chrony is in use on the system proper configuration is vital to ensuring time
|
|
|
dac76a |
+ synchronization is working properly.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+platform: machine
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel8: 82729-5
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel8: 2.2.1.2
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: 'The chronyd process is not running'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_service_enabled(service="chronyd") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: service_enabled
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ servicename: chronyd
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var
|
|
|
dac76a |
index 32deb2b851..47c6594ad2 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/var_multiple_time_servers.var
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var
|
|
|
dac76a |
@@ -6,9 +6,10 @@ description: 'The list of vendor-approved time servers'
|
|
|
dac76a |
|
|
|
dac76a |
type: string
|
|
|
dac76a |
|
|
|
dac76a |
-interactive: false
|
|
|
dac76a |
+interactive: true
|
|
|
dac76a |
|
|
|
dac76a |
options:
|
|
|
dac76a |
+ default: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
|
|
|
dac76a |
fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org"
|
|
|
dac76a |
rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org"
|
|
|
dac76a |
ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
|
|
|
dac76a |
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
|
|
|
dac76a |
index 9768f5c5c4..948912c228 100644
|
|
|
dac76a |
--- a/shared/templates/extra_ovals.yml
|
|
|
dac76a |
+++ b/shared/templates/extra_ovals.yml
|
|
|
dac76a |
@@ -43,12 +43,6 @@ package_prelink_removed:
|
|
|
dac76a |
vars:
|
|
|
dac76a |
pkgname: prelink
|
|
|
dac76a |
|
|
|
dac76a |
-service_chronyd_enabled:
|
|
|
dac76a |
- name: service_enabled
|
|
|
dac76a |
- vars:
|
|
|
dac76a |
- servicename: chronyd
|
|
|
dac76a |
- packagename: chrony
|
|
|
dac76a |
-
|
|
|
dac76a |
service_sssd_disabled:
|
|
|
dac76a |
name: service_disabled
|
|
|
dac76a |
vars:
|
|
|
dac76a |
|
|
|
dac76a |
From e6145398300fae26e9765dc2798d7eec602be70c Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 11 Mar 2020 11:05:17 +0100
|
|
|
dac76a |
Subject: [PATCH 02/10] add tests and ansible remediation
|
|
|
dac76a |
|
|
|
dac76a |
remove shared oval for checking chronyd_specify_remote_server
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 13 ++++++++
|
|
|
dac76a |
.../bash/shared.sh | 2 +-
|
|
|
dac76a |
.../oval/shared.xml | 32 +++++++++++++------
|
|
|
dac76a |
.../tests/correct.pass.sh | 7 ++++
|
|
|
dac76a |
.../tests/file_empty.fail.sh | 6 ++++
|
|
|
dac76a |
.../tests/file_missing.fail.sh | 6 ++++
|
|
|
dac76a |
.../tests/line_missing.fail.sh | 7 ++++
|
|
|
dac76a |
.../tests/multiple_servers.pass.sh | 7 ++++
|
|
|
dac76a |
.../tests/server_not_specified.fail.sh | 6 ++++
|
|
|
dac76a |
.../oval/chronyd_specify_remote_server.xml | 29 -----------------
|
|
|
dac76a |
10 files changed, 76 insertions(+), 39 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh
|
|
|
dac76a |
delete mode 100644 shared/checks/oval/chronyd_specify_remote_server.xml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..ad93be3580
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,13 @@
|
|
|
dac76a |
+# platform = multi_platform_all
|
|
|
dac76a |
+# reboot = false
|
|
|
dac76a |
+# strategy = configure
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = low
|
|
|
dac76a |
+- (xccdf-var var_multiple_time_servers)
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Ensure Chrony is installed"
|
|
|
dac76a |
+ package:
|
|
|
dac76a |
+ name: "chrony"
|
|
|
dac76a |
+ state: present
|
|
|
dac76a |
+
|
|
|
dac76a |
+{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
index ab9aab8732..9fdb46d419 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
@@ -4,6 +4,6 @@ populate var_multiple_time_servers
|
|
|
dac76a |
|
|
|
dac76a |
config_file="/etc/chrony.conf"
|
|
|
dac76a |
|
|
|
dac76a |
-if ! grep -q ^server "$config_file" ; then
|
|
|
dac76a |
+if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then
|
|
|
dac76a |
{{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}}
|
|
|
dac76a |
fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
index 0045c93a2d..744ea925c9 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
@@ -1,15 +1,29 @@
|
|
|
dac76a |
-<def-group oval_version="5.11">
|
|
|
dac76a |
+<def-group>
|
|
|
dac76a |
<definition class="compliance" id="chronyd_specify_remote_server" version="1">
|
|
|
dac76a |
<metadata>
|
|
|
dac76a |
- <title>Specify Remote NTP chronyd Server for Time Data</title>
|
|
|
dac76a |
- {{{- oval_affected(products) }}}
|
|
|
dac76a |
- <description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</description>
|
|
|
dac76a |
+ <title>Specify a Remote NTP Server for Time Data</title>
|
|
|
dac76a |
+ <affected family="unix">
|
|
|
dac76a |
+ <platform>multi_platform_all</platform>
|
|
|
dac76a |
+ </affected>
|
|
|
dac76a |
+ <description>A remote NTP Server for time synchronization should be
|
|
|
dac76a |
+ specified (and dependencies are met)</description>
|
|
|
dac76a |
</metadata>
|
|
|
dac76a |
-
|
|
|
dac76a |
- <criteria comment="chronyd enabled and remote server specified" operator="AND">
|
|
|
dac76a |
- <extend_definition comment="service chronyd enabled" definition_ref="service_chronyd_enabled" />
|
|
|
dac76a |
- <extend_definition comment="chronyd remote server specified" definition_ref="chronyd_specify_remote_server" />
|
|
|
dac76a |
+ <criteria comment="chrony.conf conditions are met">
|
|
|
dac76a |
+ <criterion test_ref="test_chronyd_remote_server" />
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
-
|
|
|
dac76a |
</definition>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ comment="Ensure at least one NTP server is set" id="test_chronyd_remote_server"
|
|
|
dac76a |
+ version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_chronyd_remote_server" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ id="object_chronyd_remote_server" version="1">
|
|
|
dac76a |
+ <ind:filepath>/etc/chrony.conf</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..d5db6a6fb3
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..15c414d9fc
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,6 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "" > /etc/chrony.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..4e02f34c0f
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,6 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+rm -f /etc/chrony.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..acae68b7ee
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "some line" > /etc/chrony.conf
|
|
|
dac76a |
+echo "another line" >> /etc/chrony.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..d239a76dda
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
|
|
dac76a |
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..63c2a7f0a4
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,6 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "server " > /etc/chrony.conf
|
|
|
dac76a |
diff --git a/shared/checks/oval/chronyd_specify_remote_server.xml b/shared/checks/oval/chronyd_specify_remote_server.xml
|
|
|
dac76a |
deleted file mode 100644
|
|
|
dac76a |
index 744ea925c9..0000000000
|
|
|
dac76a |
--- a/shared/checks/oval/chronyd_specify_remote_server.xml
|
|
|
dac76a |
+++ /dev/null
|
|
|
dac76a |
@@ -1,29 +0,0 @@
|
|
|
dac76a |
-<def-group>
|
|
|
dac76a |
- <definition class="compliance" id="chronyd_specify_remote_server" version="1">
|
|
|
dac76a |
- <metadata>
|
|
|
dac76a |
- <title>Specify a Remote NTP Server for Time Data</title>
|
|
|
dac76a |
- <affected family="unix">
|
|
|
dac76a |
- <platform>multi_platform_all</platform>
|
|
|
dac76a |
- </affected>
|
|
|
dac76a |
- <description>A remote NTP Server for time synchronization should be
|
|
|
dac76a |
- specified (and dependencies are met)</description>
|
|
|
dac76a |
- </metadata>
|
|
|
dac76a |
- <criteria comment="chrony.conf conditions are met">
|
|
|
dac76a |
- <criterion test_ref="test_chronyd_remote_server" />
|
|
|
dac76a |
- </criteria>
|
|
|
dac76a |
- </definition>
|
|
|
dac76a |
-
|
|
|
dac76a |
-
|
|
|
dac76a |
- comment="Ensure at least one NTP server is set" id="test_chronyd_remote_server"
|
|
|
dac76a |
- version="1">
|
|
|
dac76a |
- <ind:object object_ref="object_chronyd_remote_server" />
|
|
|
dac76a |
- </ind:textfilecontent54_test>
|
|
|
dac76a |
-
|
|
|
dac76a |
-
|
|
|
dac76a |
- id="object_chronyd_remote_server" version="1">
|
|
|
dac76a |
- <ind:filepath>/etc/chrony.conf</ind:filepath>
|
|
|
dac76a |
- <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
|
|
|
dac76a |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
- </ind:textfilecontent54_object>
|
|
|
dac76a |
-
|
|
|
dac76a |
-</def-group>
|
|
|
dac76a |
|
|
|
dac76a |
From bc61c4eb7552012761223d75870c8bee36d5acc0 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Thu, 12 Mar 2020 17:05:12 +0100
|
|
|
dac76a |
Subject: [PATCH 03/10] fix typos and fix oval affected products
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ntp/chronyd_specify_remote_server/oval/shared.xml | 4 +---
|
|
|
dac76a |
.../services/ntp/chronyd_specify_remote_server/rule.yml | 2 +-
|
|
|
dac76a |
.../guide/services/ntp/package_chrony_installed/rule.yml | 5 ++---
|
|
|
dac76a |
3 files changed, 4 insertions(+), 7 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
index 744ea925c9..3a3c2895ce 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
@@ -2,9 +2,7 @@
|
|
|
dac76a |
<definition class="compliance" id="chronyd_specify_remote_server" version="1">
|
|
|
dac76a |
<metadata>
|
|
|
dac76a |
<title>Specify a Remote NTP Server for Time Data</title>
|
|
|
dac76a |
- <affected family="unix">
|
|
|
dac76a |
- <platform>multi_platform_all</platform>
|
|
|
dac76a |
- </affected>
|
|
|
dac76a |
+ {{{- oval_affected(products) }}}
|
|
|
dac76a |
<description>A remote NTP Server for time synchronization should be
|
|
|
dac76a |
specified (and dependencies are met)</description>
|
|
|
dac76a |
</metadata>
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index 062d382709..3befba9de8 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -5,7 +5,7 @@ prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
title: 'A remote NTP server for Chrony is configured'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
|
|
|
dac76a |
+ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
|
|
|
dac76a |
synchronize system clocks across a variety of systems and use a source that is highly
|
|
|
dac76a |
accurate. More information on chrony can be found at
|
|
|
dac76a |
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
index 36cae252e0..1e99e241dd 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
@@ -2,14 +2,13 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
|
|
|
dac76a |
-title: 'The Chrony package is enabled'
|
|
|
dac76a |
+title: 'The Chrony package is installed'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
System time should be synchronized between all systems in an environment. This is
|
|
|
dac76a |
typically done by establishing an authoritative time server or set of servers and having all
|
|
|
dac76a |
systems synchronize their clocks to them.
|
|
|
dac76a |
- You can install the package with the following command:
|
|
|
dac76a |
- # dnf install chrony
|
|
|
dac76a |
+ {{{ describe_package_install(package="chrony") }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
Time synchronization is important to support time sensitive security mechanisms like
|
|
|
dac76a |
|
|
|
dac76a |
From 88ed5b1b1a44dcc9eb98cb1c514542059b7882e8 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 11:55:44 +0100
|
|
|
dac76a |
Subject: [PATCH 04/10] make rules available for all platforms
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +-
|
|
|
dac76a |
.../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 -
|
|
|
dac76a |
linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 --
|
|
|
dac76a |
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 2 --
|
|
|
dac76a |
4 files changed, 1 insertion(+), 6 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
index 9fdb46d419..6be57c219b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
@@ -1,4 +1,4 @@
|
|
|
dac76a |
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
|
|
|
dac76a |
+# platform = multi_platform_all
|
|
|
dac76a |
. /usr/share/scap-security-guide/remediation_functions
|
|
|
dac76a |
populate var_multiple_time_servers
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index 3befba9de8..912a359080 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -1,6 +1,5 @@
|
|
|
dac76a |
documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
-prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
|
|
|
dac76a |
title: 'A remote NTP server for Chrony is configured'
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
index 1e99e241dd..6e2c455201 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
@@ -1,7 +1,5 @@
|
|
|
dac76a |
documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
-prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
-
|
|
|
dac76a |
title: 'The Chrony package is installed'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
index 37adcae640..e0b21d81af 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
@@ -1,7 +1,5 @@
|
|
|
dac76a |
documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
-prodtype: fedora,ocp4,ol8,rhel8
|
|
|
dac76a |
-
|
|
|
dac76a |
title: 'The Chronyd service is enabled'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
|
|
|
dac76a |
From bd704e243821225440f1dd7c426922624cd6c08a Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 14:47:53 +0100
|
|
|
dac76a |
Subject: [PATCH 05/10] make oval accept also pool
|
|
|
dac76a |
|
|
|
dac76a |
add test for it
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ntp/chronyd_specify_remote_server/oval/shared.xml | 2 +-
|
|
|
dac76a |
.../tests/correct_pool.pass.sh | 7 +++++++
|
|
|
dac76a |
2 files changed, 8 insertions(+), 1 deletion(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
index 3a3c2895ce..31cde36bc9 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
|
|
|
dac76a |
@@ -20,7 +20,7 @@
|
|
|
dac76a |
|
|
|
dac76a |
id="object_chronyd_remote_server" version="1">
|
|
|
dac76a |
<ind:filepath>/etc/chrony.conf</ind:filepath>
|
|
|
dac76a |
- <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^[\s]*(?:server|pool)[\s]+.+$</ind:pattern>
|
|
|
dac76a |
<ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..aa6e8aea2a
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+yum -y install chrony
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "pool 0.pool.ntp.org" > /etc/chrony.conf
|
|
|
dac76a |
|
|
|
dac76a |
From 387e404f2aa33ffd36305d899e5ba2846b0e99a8 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 14:58:52 +0100
|
|
|
dac76a |
Subject: [PATCH 06/10] modify bash macro not to add iburst
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/macros-bash.jinja | 2 +-
|
|
|
dac76a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
|
|
dac76a |
index bc6c6f6486..01b9e62e7b 100644
|
|
|
dac76a |
--- a/shared/macros-bash.jinja
|
|
|
dac76a |
+++ b/shared/macros-bash.jinja
|
|
|
dac76a |
@@ -348,7 +348,7 @@ done
|
|
|
dac76a |
{{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}}
|
|
|
dac76a |
if ! grep -q '#[[:space:]]*server' "{{{ config_file }}}" ; then
|
|
|
dac76a |
for server in $(echo "{{{ servers_list }}}" | tr ',' '\n') ; do
|
|
|
dac76a |
- printf '\nserver %s iburst' "$server" >> "{{{ config_file }}}"
|
|
|
dac76a |
+ printf '\nserver %s' "$server" >> "{{{ config_file }}}"
|
|
|
dac76a |
done
|
|
|
dac76a |
else
|
|
|
dac76a |
sed -i 's/#[ \t]*server/server/g' "{{{ config_file }}}"
|
|
|
dac76a |
|
|
|
dac76a |
From eb953fba0979a795743bf669270709539dca5dc4 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 17:41:58 +0100
|
|
|
dac76a |
Subject: [PATCH 07/10] fix remediations
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 19 ++++++++++++++-----
|
|
|
dac76a |
.../bash/shared.sh | 2 +-
|
|
|
dac76a |
.../chronyd_specify_remote_server/rule.yml | 2 +-
|
|
|
dac76a |
3 files changed, 16 insertions(+), 7 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
index ad93be3580..747226601b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
@@ -5,9 +5,18 @@
|
|
|
dac76a |
# disruption = low
|
|
|
dac76a |
- (xccdf-var var_multiple_time_servers)
|
|
|
dac76a |
|
|
|
dac76a |
-- name: "Ensure Chrony is installed"
|
|
|
dac76a |
- package:
|
|
|
dac76a |
- name: "chrony"
|
|
|
dac76a |
- state: present
|
|
|
dac76a |
+- name: "Detect if chrony is already configured with pools or servers"
|
|
|
dac76a |
+ find:
|
|
|
dac76a |
+ path: /etc
|
|
|
dac76a |
+ patterns: chrony.conf
|
|
|
dac76a |
+ contains: '^[\s]*(?:server|pool)[\s]+[\w]+'
|
|
|
dac76a |
+ register: chrony_servers
|
|
|
dac76a |
|
|
|
dac76a |
-{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}}
|
|
|
dac76a |
+- name: "Add server configuration if none found in previous task"
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ path: /etc/chrony.conf
|
|
|
dac76a |
+ line: 'server {{ item }}'
|
|
|
dac76a |
+ state: present
|
|
|
dac76a |
+ create: True
|
|
|
dac76a |
+ loop: '{{ var_multiple_time_servers.split(",") }}'
|
|
|
dac76a |
+ when: chrony_servers.matched == 0
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
index 6be57c219b..e566219788 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
|
|
|
dac76a |
@@ -4,6 +4,6 @@ populate var_multiple_time_servers
|
|
|
dac76a |
|
|
|
dac76a |
config_file="/etc/chrony.conf"
|
|
|
dac76a |
|
|
|
dac76a |
-if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then
|
|
|
dac76a |
+if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then
|
|
|
dac76a |
{{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}}
|
|
|
dac76a |
fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index 912a359080..28224c2383 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -4,7 +4,7 @@ documentation_complete: true
|
|
|
dac76a |
title: 'A remote NTP server for Chrony is configured'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
|
|
|
dac76a |
+ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
|
|
|
dac76a |
synchronize system clocks across a variety of systems and use a source that is highly
|
|
|
dac76a |
accurate. More information on chrony can be found at
|
|
|
dac76a |
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
|
|
|
dac76a |
|
|
|
dac76a |
From 2106f716f5662f265a2e05b351e0fd7cb91dd698 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 17:50:10 +0100
|
|
|
dac76a |
Subject: [PATCH 08/10] fix description
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ntp/chronyd_specify_remote_server/rule.yml | 12 ++++++------
|
|
|
dac76a |
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index 28224c2383..af250d0288 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -4,22 +4,22 @@ documentation_complete: true
|
|
|
dac76a |
title: 'A remote NTP server for Chrony is configured'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
|
|
|
dac76a |
+ <tt>Chrony</tt> is a daemon which implements the Network Time Protocol (NTP). It is designed to
|
|
|
dac76a |
synchronize system clocks across a variety of systems and use a source that is highly
|
|
|
dac76a |
- accurate. More information on chrony can be found at
|
|
|
dac76a |
+ accurate. More information on <tt>chrony</tt> can be found at
|
|
|
dac76a |
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
|
|
|
dac76a |
- Chrony can be configured to be a client and/or a server.
|
|
|
dac76a |
+ <tt>Chrony</tt> can be configured to be a client and/or a server.
|
|
|
dac76a |
Add or edit server or pool lines to <tt>/etc/chrony.conf</tt> as appropriate:
|
|
|
dac76a |
server <remote-server>
|
|
|
dac76a |
Multiple servers may be configured.
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- If chrony is in use on the system proper configuration is vital to ensuring time
|
|
|
dac76a |
+ If <tt>chrony</tt> is in use on the system proper configuration is vital to ensuring time
|
|
|
dac76a |
synchronization is working properly.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
|
|
|
dac76a |
-platform: machine
|
|
|
dac76a |
+platform: chrony
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
cce@rhel8: 82734-5
|
|
|
dac76a |
@@ -27,7 +27,7 @@ identifiers:
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: 'The remote NTP server for Chrony is not configured'
|
|
|
dac76a |
+ocil_clause: 'the remote NTP server for Chrony is not configured'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
Run the following command and verify remote server is configured properly:
|
|
|
dac76a |
|
|
|
dac76a |
From 6058590f752af869716a4bc166091d22cdda71e6 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 18:07:00 +0100
|
|
|
dac76a |
Subject: [PATCH 09/10] fix cces
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +-
|
|
|
dac76a |
linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 +-
|
|
|
dac76a |
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 4 ++--
|
|
|
dac76a |
4 files changed, 4 insertions(+), 7 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index af250d0288..fbd457d2de 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -22,7 +22,7 @@ severity: medium
|
|
|
dac76a |
platform: chrony
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
- cce@rhel8: 82734-5
|
|
|
dac76a |
+ cce@rhel8: 82873-1
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
index 6e2c455201..2549f48b71 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
@@ -18,7 +18,7 @@ severity: medium
|
|
|
dac76a |
platform: machine
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
- cce@rhel8: 82730-3
|
|
|
dac76a |
+ cce@rhel8: 82874-9
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel8: 2.2.1.1
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
index e0b21d81af..829d662afe 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
@@ -21,12 +21,12 @@ severity: medium
|
|
|
dac76a |
platform: machine
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
- cce@rhel8: 82729-5
|
|
|
dac76a |
+ cce@rhel8: 82875-6
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: 'The chronyd process is not running'
|
|
|
dac76a |
+ocil_clause: 'the chronyd process is not running'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: '{{{ ocil_service_enabled(service="chronyd") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
From e70adc47f0c1cdcc7c652b5a6f19701aa61fe8f8 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 18 Mar 2020 10:53:45 +0100
|
|
|
dac76a |
Subject: [PATCH 10/10] small wording changes
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +-
|
|
|
dac76a |
.../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +-
|
|
|
dac76a |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
index 747226601b..0c812bdc2a 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
|
|
|
dac76a |
@@ -12,7 +12,7 @@
|
|
|
dac76a |
contains: '^[\s]*(?:server|pool)[\s]+[\w]+'
|
|
|
dac76a |
register: chrony_servers
|
|
|
dac76a |
|
|
|
dac76a |
-- name: "Add server configuration if none found in previous task"
|
|
|
dac76a |
+- name: "Configure remote time servers"
|
|
|
dac76a |
lineinfile:
|
|
|
dac76a |
path: /etc/chrony.conf
|
|
|
dac76a |
line: 'server {{ item }}'
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index fbd457d2de..b2177fc76e 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -27,7 +27,7 @@ identifiers:
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: 'the remote NTP server for Chrony is not configured'
|
|
|
dac76a |
+ocil_clause: 'a remote time server is not configured'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
Run the following command and verify remote server is configured properly:
|