From b5379d0850f2ee366c7259512c74355d86babf2f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 10 Mar 2020 19:05:57 +0100
Subject: [PATCH 01/10] create new chrony rules for CIS
add package_chrony_installed
add service_chronyd_enabled
add chrony_specify_remote_server
add default value to chrony_multiple_servers variable
---
.../bash/shared.sh | 9 +++++
.../oval/shared.xml | 15 ++++++++
.../chronyd_specify_remote_server/rule.yml | 35 +++++++++++++++++
.../ntp/package_chrony_installed/rule.yml | 34 +++++++++++++++++
.../ntp/service_chronyd_enabled/rule.yml | 38 +++++++++++++++++++
.../ntp/var_multiple_time_servers.var | 3 +-
shared/templates/extra_ovals.yml | 6 ---
7 files changed, 133 insertions(+), 7 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
create mode 100644 linux_os/guide/services/ntp/package_chrony_installed/rule.yml
create mode 100644 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
new file mode 100644
index 0000000000..ab9aab8732
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+. /usr/share/scap-security-guide/remediation_functions
+populate var_multiple_time_servers
+
+config_file="/etc/chrony.conf"
+
+if ! grep -q ^server "$config_file" ; then
+ {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}}
+fi
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
new file mode 100644
index 0000000000..0045c93a2d
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
@@ -0,0 +1,15 @@
+<def-group oval_version="5.11">
+ <definition class="compliance" id="chronyd_specify_remote_server" version="1">
+ <metadata>
+ <title>Specify Remote NTP chronyd Server for Time Data</title>
+ {{{- oval_affected(products) }}}
+ <description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</description>
+ </metadata>
+
+ <criteria comment="chronyd enabled and remote server specified" operator="AND">
+ <extend_definition comment="service chronyd enabled" definition_ref="service_chronyd_enabled" />
+ <extend_definition comment="chronyd remote server specified" definition_ref="chronyd_specify_remote_server" />
+ </criteria>
+
+ </definition>
+</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
new file mode 100644
index 0000000000..062d382709
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol8,rhel8
+
+title: 'A remote NTP server for Chrony is configured'
+
+description: |-
+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
+ synchronize system clocks across a variety of systems and use a source that is highly
+ accurate. More information on chrony can be found at
+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
+ Chrony can be configured to be a client and/or a server.
+ Add or edit server or pool lines to <tt>/etc/chrony.conf</tt> as appropriate:
+ <pre>server <remote-server></pre>
+ Multiple servers may be configured.
+
+rationale: |-
+ If chrony is in use on the system proper configuration is vital to ensuring time
+ synchronization is working properly.
+
+severity: medium
+
+platform: machine
+
+identifiers:
+ cce@rhel8: 82734-5
+
+references:
+ cis@rhel8: 2.2.1.2
+
+ocil_clause: 'The remote NTP server for Chrony is not configured'
+
+ocil: |-
+ Run the following command and verify remote server is configured properly:
+ <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
new file mode 100644
index 0000000000..36cae252e0
--- /dev/null
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol8,rhel8
+
+title: 'The Chrony package is enabled'
+
+description: |-
+ System time should be synchronized between all systems in an environment. This is
+ typically done by establishing an authoritative time server or set of servers and having all
+ systems synchronize their clocks to them.
+ You can install the package with the following command:
+ <pre># dnf install chrony</pre>
+
+rationale: |-
+ Time synchronization is important to support time sensitive security mechanisms like
+ Kerberos and also ensures log files have consistent time records across the enterprise,
+ which aids in forensic investigations.
+
+severity: medium
+
+platform: machine
+
+identifiers:
+ cce@rhel8: 82730-3
+
+references:
+ cis@rhel8: 2.2.1.1
+
+{{{ complete_ocil_entry_package(package="chrony") }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: chrony
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
new file mode 100644
index 0000000000..37adcae640
--- /dev/null
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol8,rhel8
+
+title: 'The Chronyd service is enabled'
+
+description: |-
+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
+ synchronize system clocks across a variety of systems and use a source that is highly
+ accurate. More information on chrony can be found at
+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
+ Chrony can be configured to be a client and/or a server.
+ To enable Chronyd service, you can run:
+ <tt># systemctl enable chronyd.service</tt>
+ This recommendation only applies if chrony is in use on the system.
+
+rationale: |-
+ If chrony is in use on the system proper configuration is vital to ensuring time
+ synchronization is working properly.
+
+severity: medium
+
+platform: machine
+
+identifiers:
+ cce@rhel8: 82729-5
+
+references:
+ cis@rhel8: 2.2.1.2
+
+ocil_clause: 'The chronyd process is not running'
+
+ocil: '{{{ ocil_service_enabled(service="chronyd") }}}'
+
+template:
+ name: service_enabled
+ vars:
+ servicename: chronyd
diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var
index 32deb2b851..47c6594ad2 100644
--- a/linux_os/guide/services/ntp/var_multiple_time_servers.var
+++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var
@@ -6,9 +6,10 @@ description: 'The list of vendor-approved time servers'
type: string
-interactive: false
+interactive: true
options:
+ default: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org"
rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org"
ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
index 9768f5c5c4..948912c228 100644
--- a/shared/templates/extra_ovals.yml
+++ b/shared/templates/extra_ovals.yml
@@ -43,12 +43,6 @@ package_prelink_removed:
vars:
pkgname: prelink
-service_chronyd_enabled:
- name: service_enabled
- vars:
- servicename: chronyd
- packagename: chrony
-
service_sssd_disabled:
name: service_disabled
vars:
From e6145398300fae26e9765dc2798d7eec602be70c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Mar 2020 11:05:17 +0100
Subject: [PATCH 02/10] add tests and ansible remediation
remove shared oval for checking chronyd_specify_remote_server
---
.../ansible/shared.yml | 13 ++++++++
.../bash/shared.sh | 2 +-
.../oval/shared.xml | 32 +++++++++++++------
.../tests/correct.pass.sh | 7 ++++
.../tests/file_empty.fail.sh | 6 ++++
.../tests/file_missing.fail.sh | 6 ++++
.../tests/line_missing.fail.sh | 7 ++++
.../tests/multiple_servers.pass.sh | 7 ++++
.../tests/server_not_specified.fail.sh | 6 ++++
.../oval/chronyd_specify_remote_server.xml | 29 -----------------
10 files changed, 76 insertions(+), 39 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh
delete mode 100644 shared/checks/oval/chronyd_specify_remote_server.xml
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
new file mode 100644
index 0000000000..ad93be3580
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+- (xccdf-var var_multiple_time_servers)
+
+- name: "Ensure Chrony is installed"
+ package:
+ name: "chrony"
+ state: present
+
+{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}}
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
index ab9aab8732..9fdb46d419 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
@@ -4,6 +4,6 @@ populate var_multiple_time_servers
config_file="/etc/chrony.conf"
-if ! grep -q ^server "$config_file" ; then
+if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then
{{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}}
fi
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
index 0045c93a2d..744ea925c9 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
@@ -1,15 +1,29 @@
-<def-group oval_version="5.11">
+<def-group>
<definition class="compliance" id="chronyd_specify_remote_server" version="1">
<metadata>
- <title>Specify Remote NTP chronyd Server for Time Data</title>
- {{{- oval_affected(products) }}}
- <description>A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met)</description>
+ <title>Specify a Remote NTP Server for Time Data</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>A remote NTP Server for time synchronization should be
+ specified (and dependencies are met)</description>
</metadata>
-
- <criteria comment="chronyd enabled and remote server specified" operator="AND">
- <extend_definition comment="service chronyd enabled" definition_ref="service_chronyd_enabled" />
- <extend_definition comment="chronyd remote server specified" definition_ref="chronyd_specify_remote_server" />
+ <criteria comment="chrony.conf conditions are met">
+ <criterion test_ref="test_chronyd_remote_server" />
</criteria>
-
</definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+ comment="Ensure at least one NTP server is set" id="test_chronyd_remote_server"
+ version="1">
+ <ind:object object_ref="object_chronyd_remote_server" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object comment="Ensure at least one NTP server is set"
+ id="object_chronyd_remote_server" version="1">
+ <ind:filepath>/etc/chrony.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh
new file mode 100644
index 0000000000..d5db6a6fb3
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+
+yum -y install chrony
+
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh
new file mode 100644
index 0000000000..15c414d9fc
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+yum -y install chrony
+
+echo "" > /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..4e02f34c0f
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+yum -y install chrony
+
+rm -f /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh
new file mode 100644
index 0000000000..acae68b7ee
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+yum -y install chrony
+
+echo "some line" > /etc/chrony.conf
+echo "another line" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh
new file mode 100644
index 0000000000..d239a76dda
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+yum -y install chrony
+
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh
new file mode 100644
index 0000000000..63c2a7f0a4
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+yum -y install chrony
+
+echo "server " > /etc/chrony.conf
diff --git a/shared/checks/oval/chronyd_specify_remote_server.xml b/shared/checks/oval/chronyd_specify_remote_server.xml
deleted file mode 100644
index 744ea925c9..0000000000
--- a/shared/checks/oval/chronyd_specify_remote_server.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<def-group>
- <definition class="compliance" id="chronyd_specify_remote_server" version="1">
- <metadata>
- <title>Specify a Remote NTP Server for Time Data</title>
- <affected family="unix">
- <platform>multi_platform_all</platform>
- </affected>
- <description>A remote NTP Server for time synchronization should be
- specified (and dependencies are met)</description>
- </metadata>
- <criteria comment="chrony.conf conditions are met">
- <criterion test_ref="test_chronyd_remote_server" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
- comment="Ensure at least one NTP server is set" id="test_chronyd_remote_server"
- version="1">
- <ind:object object_ref="object_chronyd_remote_server" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object comment="Ensure at least one NTP server is set"
- id="object_chronyd_remote_server" version="1">
- <ind:filepath>/etc/chrony.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
-</def-group>
From bc61c4eb7552012761223d75870c8bee36d5acc0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Mar 2020 17:05:12 +0100
Subject: [PATCH 03/10] fix typos and fix oval affected products
---
.../ntp/chronyd_specify_remote_server/oval/shared.xml | 4 +---
.../services/ntp/chronyd_specify_remote_server/rule.yml | 2 +-
.../guide/services/ntp/package_chrony_installed/rule.yml | 5 ++---
3 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
index 744ea925c9..3a3c2895ce 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
@@ -2,9 +2,7 @@
<definition class="compliance" id="chronyd_specify_remote_server" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
- <affected family="unix">
- <platform>multi_platform_all</platform>
- </affected>
+ {{{- oval_affected(products) }}}
<description>A remote NTP Server for time synchronization should be
specified (and dependencies are met)</description>
</metadata>
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index 062d382709..3befba9de8 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -5,7 +5,7 @@ prodtype: fedora,ocp4,ol8,rhel8
title: 'A remote NTP server for Chrony is configured'
description: |-
- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
+ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index 36cae252e0..1e99e241dd 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -2,14 +2,13 @@ documentation_complete: true
prodtype: fedora,ocp4,ol8,rhel8
-title: 'The Chrony package is enabled'
+title: 'The Chrony package is installed'
description: |-
System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
- You can install the package with the following command:
- <pre># dnf install chrony</pre>
+ {{{ describe_package_install(package="chrony") }}}
rationale: |-
Time synchronization is important to support time sensitive security mechanisms like
From 88ed5b1b1a44dcc9eb98cb1c514542059b7882e8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 11:55:44 +0100
Subject: [PATCH 04/10] make rules available for all platforms
---
.../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +-
.../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 -
linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 --
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 2 --
4 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
index 9fdb46d419..6be57c219b 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_all
. /usr/share/scap-security-guide/remediation_functions
populate var_multiple_time_servers
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index 3befba9de8..912a359080 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -1,6 +1,5 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol8,rhel8
title: 'A remote NTP server for Chrony is configured'
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index 1e99e241dd..6e2c455201 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -1,7 +1,5 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol8,rhel8
-
title: 'The Chrony package is installed'
description: |-
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index 37adcae640..e0b21d81af 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -1,7 +1,5 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol8,rhel8
-
title: 'The Chronyd service is enabled'
description: |-
From bd704e243821225440f1dd7c426922624cd6c08a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 14:47:53 +0100
Subject: [PATCH 05/10] make oval accept also pool
add test for it
---
.../ntp/chronyd_specify_remote_server/oval/shared.xml | 2 +-
.../tests/correct_pool.pass.sh | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
index 3a3c2895ce..31cde36bc9 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object comment="Ensure at least one NTP server is set"
id="object_chronyd_remote_server" version="1">
<ind:filepath>/etc/chrony.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?:server|pool)[\s]+.+$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh
new file mode 100644
index 0000000000..aa6e8aea2a
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+
+yum -y install chrony
+
+echo "pool 0.pool.ntp.org" > /etc/chrony.conf
From 387e404f2aa33ffd36305d899e5ba2846b0e99a8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 14:58:52 +0100
Subject: [PATCH 06/10] modify bash macro not to add iburst
---
shared/macros-bash.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index bc6c6f6486..01b9e62e7b 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -348,7 +348,7 @@ done
{{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}}
if ! grep -q '#[[:space:]]*server' "{{{ config_file }}}" ; then
for server in $(echo "{{{ servers_list }}}" | tr ',' '\n') ; do
- printf '\nserver %s iburst' "$server" >> "{{{ config_file }}}"
+ printf '\nserver %s' "$server" >> "{{{ config_file }}}"
done
else
sed -i 's/#[ \t]*server/server/g' "{{{ config_file }}}"
From eb953fba0979a795743bf669270709539dca5dc4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 17:41:58 +0100
Subject: [PATCH 07/10] fix remediations
---
.../ansible/shared.yml | 19 ++++++++++++++-----
.../bash/shared.sh | 2 +-
.../chronyd_specify_remote_server/rule.yml | 2 +-
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
index ad93be3580..747226601b 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
@@ -5,9 +5,18 @@
# disruption = low
- (xccdf-var var_multiple_time_servers)
-- name: "Ensure Chrony is installed"
- package:
- name: "chrony"
- state: present
+- name: "Detect if chrony is already configured with pools or servers"
+ find:
+ path: /etc
+ patterns: chrony.conf
+ contains: '^[\s]*(?:server|pool)[\s]+[\w]+'
+ register: chrony_servers
-{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}}
+- name: "Add server configuration if none found in previous task"
+ lineinfile:
+ path: /etc/chrony.conf
+ line: 'server {{ item }}'
+ state: present
+ create: True
+ loop: '{{ var_multiple_time_servers.split(",") }}'
+ when: chrony_servers.matched == 0
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
index 6be57c219b..e566219788 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
@@ -4,6 +4,6 @@ populate var_multiple_time_servers
config_file="/etc/chrony.conf"
-if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then
+if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then
{{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}}
fi
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index 912a359080..28224c2383 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
title: 'A remote NTP server for Chrony is configured'
description: |-
- chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
+ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
From 2106f716f5662f265a2e05b351e0fd7cb91dd698 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 17:50:10 +0100
Subject: [PATCH 08/10] fix description
---
.../ntp/chronyd_specify_remote_server/rule.yml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index 28224c2383..af250d0288 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -4,22 +4,22 @@ documentation_complete: true
title: 'A remote NTP server for Chrony is configured'
description: |-
- Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
+ <tt>Chrony</tt> is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
- accurate. More information on chrony can be found at
+ accurate. More information on <tt>chrony</tt> can be found at
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
- Chrony can be configured to be a client and/or a server.
+ <tt>Chrony</tt> can be configured to be a client and/or a server.
Add or edit server or pool lines to <tt>/etc/chrony.conf</tt> as appropriate:
<pre>server <remote-server></pre>
Multiple servers may be configured.
rationale: |-
- If chrony is in use on the system proper configuration is vital to ensuring time
+ If <tt>chrony</tt> is in use on the system proper configuration is vital to ensuring time
synchronization is working properly.
severity: medium
-platform: machine
+platform: chrony
identifiers:
cce@rhel8: 82734-5
@@ -27,7 +27,7 @@ identifiers:
references:
cis@rhel8: 2.2.1.2
-ocil_clause: 'The remote NTP server for Chrony is not configured'
+ocil_clause: 'the remote NTP server for Chrony is not configured'
ocil: |-
Run the following command and verify remote server is configured properly:
From 6058590f752af869716a4bc166091d22cdda71e6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 18:07:00 +0100
Subject: [PATCH 09/10] fix cces
---
.../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +-
linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 +-
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 4 ++--
4 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index af250d0288..fbd457d2de 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -22,7 +22,7 @@ severity: medium
platform: chrony
identifiers:
- cce@rhel8: 82734-5
+ cce@rhel8: 82873-1
references:
cis@rhel8: 2.2.1.2
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index 6e2c455201..2549f48b71 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -18,7 +18,7 @@ severity: medium
platform: machine
identifiers:
- cce@rhel8: 82730-3
+ cce@rhel8: 82874-9
references:
cis@rhel8: 2.2.1.1
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index e0b21d81af..829d662afe 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -21,12 +21,12 @@ severity: medium
platform: machine
identifiers:
- cce@rhel8: 82729-5
+ cce@rhel8: 82875-6
references:
cis@rhel8: 2.2.1.2
-ocil_clause: 'The chronyd process is not running'
+ocil_clause: 'the chronyd process is not running'
ocil: '{{{ ocil_service_enabled(service="chronyd") }}}'
From e70adc47f0c1cdcc7c652b5a6f19701aa61fe8f8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 18 Mar 2020 10:53:45 +0100
Subject: [PATCH 10/10] small wording changes
---
.../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +-
.../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
index 747226601b..0c812bdc2a 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
@@ -12,7 +12,7 @@
contains: '^[\s]*(?:server|pool)[\s]+[\w]+'
register: chrony_servers
-- name: "Add server configuration if none found in previous task"
+- name: "Configure remote time servers"
lineinfile:
path: /etc/chrony.conf
line: 'server {{ item }}'
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index fbd457d2de..b2177fc76e 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -27,7 +27,7 @@ identifiers:
references:
cis@rhel8: 2.2.1.2
-ocil_clause: 'the remote NTP server for Chrony is not configured'
+ocil_clause: 'a remote time server is not configured'
ocil: |-
Run the following command and verify remote server is configured properly: