From b5379d0850f2ee366c7259512c74355d86babf2f Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 10 Mar 2020 19:05:57 +0100 Subject: [PATCH 01/10] create new chrony rules for CIS add package_chrony_installed add service_chronyd_enabled add chrony_specify_remote_server add default value to chrony_multiple_servers variable --- .../bash/shared.sh | 9 +++++ .../oval/shared.xml | 15 ++++++++ .../chronyd_specify_remote_server/rule.yml | 35 +++++++++++++++++ .../ntp/package_chrony_installed/rule.yml | 34 +++++++++++++++++ .../ntp/service_chronyd_enabled/rule.yml | 38 +++++++++++++++++++ .../ntp/var_multiple_time_servers.var | 3 +- shared/templates/extra_ovals.yml | 6 --- 7 files changed, 133 insertions(+), 7 deletions(-) create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml create mode 100644 linux_os/guide/services/ntp/package_chrony_installed/rule.yml create mode 100644 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh new file mode 100644 index 0000000000..ab9aab8732 --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +. /usr/share/scap-security-guide/remediation_functions +populate var_multiple_time_servers + +config_file="/etc/chrony.conf" + +if ! grep -q ^server "$config_file" ; then + {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} +fi diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml new file mode 100644 index 0000000000..0045c93a2d --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml @@ -0,0 +1,15 @@ + + + + Specify Remote NTP chronyd Server for Time Data + {{{- oval_affected(products) }}} + A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met) + + + + + + + + + diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml new file mode 100644 index 0000000000..062d382709 --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol8,rhel8 + +title: 'A remote NTP server for Chrony is configured' + +description: |- + chrony is a daemon which implements the Network Time Protocol (NTP) is designed to + synchronize system clocks across a variety of systems and use a source that is highly + accurate. More information on chrony can be found at + {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. + Chrony can be configured to be a client and/or a server. + Add or edit server or pool lines to /etc/chrony.conf as appropriate: + 
server <remote-server>
+ Multiple servers may be configured. + +rationale: |- + If chrony is in use on the system proper configuration is vital to ensuring time + synchronization is working properly. + +severity: medium + +platform: machine + +identifiers: + cce@rhel8: 82734-5 + +references: + cis@rhel8: 2.2.1.2 + +ocil_clause: 'The remote NTP server for Chrony is not configured' + +ocil: |- + Run the following command and verify remote server is configured properly: + 
# grep -E "^(server|pool)" /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml new file mode 100644 index 0000000000..36cae252e0 --- /dev/null +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol8,rhel8 + +title: 'The Chrony package is enabled' + +description: |- + System time should be synchronized between all systems in an environment. This is + typically done by establishing an authoritative time server or set of servers and having all + systems synchronize their clocks to them. + You can install the package with the following command: + 
# dnf install chrony
+ +rationale: |- + Time synchronization is important to support time sensitive security mechanisms like + Kerberos and also ensures log files have consistent time records across the enterprise, + which aids in forensic investigations. + +severity: medium + +platform: machine + +identifiers: + cce@rhel8: 82730-3 + +references: + cis@rhel8: 2.2.1.1 + +{{{ complete_ocil_entry_package(package="chrony") }}} + +template: + name: package_installed + vars: + pkgname: chrony diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml new file mode 100644 index 0000000000..37adcae640 --- /dev/null +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol8,rhel8 + +title: 'The Chronyd service is enabled' + +description: |- + chrony is a daemon which implements the Network Time Protocol (NTP) is designed to + synchronize system clocks across a variety of systems and use a source that is highly + accurate. More information on chrony can be found at + {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. + Chrony can be configured to be a client and/or a server. + To enable Chronyd service, you can run: + # systemctl enable chronyd.service + This recommendation only applies if chrony is in use on the system. + +rationale: |- + If chrony is in use on the system proper configuration is vital to ensuring time + synchronization is working properly. + +severity: medium + +platform: machine + +identifiers: + cce@rhel8: 82729-5 + +references: + cis@rhel8: 2.2.1.2 + +ocil_clause: 'The chronyd process is not running' + +ocil: '{{{ ocil_service_enabled(service="chronyd") }}}' + +template: + name: service_enabled + vars: + servicename: chronyd diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var index 32deb2b851..47c6594ad2 100644 --- a/linux_os/guide/services/ntp/var_multiple_time_servers.var +++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var @@ -6,9 +6,10 @@ description: 'The list of vendor-approved time servers' type: string -interactive: false +interactive: true options: + default: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org" rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org" ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml index 9768f5c5c4..948912c228 100644 --- a/shared/templates/extra_ovals.yml +++ b/shared/templates/extra_ovals.yml @@ -43,12 +43,6 @@ package_prelink_removed: vars: pkgname: prelink -service_chronyd_enabled: - name: service_enabled - vars: - servicename: chronyd - packagename: chrony - service_sssd_disabled: name: service_disabled vars: From e6145398300fae26e9765dc2798d7eec602be70c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 11 Mar 2020 11:05:17 +0100 Subject: [PATCH 02/10] add tests and ansible remediation remove shared oval for checking chronyd_specify_remote_server --- .../ansible/shared.yml | 13 ++++++++ .../bash/shared.sh | 2 +- .../oval/shared.xml | 32 +++++++++++++------ .../tests/correct.pass.sh | 7 ++++ .../tests/file_empty.fail.sh | 6 ++++ .../tests/file_missing.fail.sh | 6 ++++ .../tests/line_missing.fail.sh | 7 ++++ .../tests/multiple_servers.pass.sh | 7 ++++ .../tests/server_not_specified.fail.sh | 6 ++++ .../oval/chronyd_specify_remote_server.xml | 29 ----------------- 10 files changed, 76 insertions(+), 39 deletions(-) create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh delete mode 100644 shared/checks/oval/chronyd_specify_remote_server.xml diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml new file mode 100644 index 0000000000..ad93be3580 --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml @@ -0,0 +1,13 @@ +# platform = multi_platform_all +# reboot = false +# strategy = configure +# complexity = low +# disruption = low +- (xccdf-var var_multiple_time_servers) + +- name: "Ensure Chrony is installed" + package: + name: "chrony" + state: present + +{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh index ab9aab8732..9fdb46d419 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh @@ -4,6 +4,6 @@ populate var_multiple_time_servers config_file="/etc/chrony.conf" -if ! grep -q ^server "$config_file" ; then +if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} fi diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml index 0045c93a2d..744ea925c9 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml @@ -1,15 +1,29 @@ - + - Specify Remote NTP chronyd Server for Time Data - {{{- oval_affected(products) }}} - A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met) + Specify a Remote NTP Server for Time Data + + multi_platform_all + + A remote NTP Server for time synchronization should be + specified (and dependencies are met) - - - - + + - + + + + + + + /etc/chrony.conf + ^[\s]*server[\s]+.+$ + 1 + + diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh new file mode 100644 index 0000000000..d5db6a6fb3 --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + + +yum -y install chrony + +echo "server 0.pool.ntp.org" > /etc/chrony.conf diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh new file mode 100644 index 0000000000..15c414d9fc --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +yum -y install chrony + +echo "" > /etc/chrony.conf diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh new file mode 100644 index 0000000000..4e02f34c0f --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +yum -y install chrony + +rm -f /etc/chrony.conf diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh new file mode 100644 index 0000000000..acae68b7ee --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +yum -y install chrony + +echo "some line" > /etc/chrony.conf +echo "another line" >> /etc/chrony.conf diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh new file mode 100644 index 0000000000..d239a76dda --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +yum -y install chrony + +echo "server 0.pool.ntp.org" > /etc/chrony.conf +echo "server 1.pool.ntp.org" >> /etc/chrony.conf diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh new file mode 100644 index 0000000000..63c2a7f0a4 --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +yum -y install chrony + +echo "server " > /etc/chrony.conf diff --git a/shared/checks/oval/chronyd_specify_remote_server.xml b/shared/checks/oval/chronyd_specify_remote_server.xml deleted file mode 100644 index 744ea925c9..0000000000 --- a/shared/checks/oval/chronyd_specify_remote_server.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - Specify a Remote NTP Server for Time Data - - multi_platform_all - - A remote NTP Server for time synchronization should be - specified (and dependencies are met) - - - - - - - - - - - - /etc/chrony.conf - ^[\s]*server[\s]+.+$ - 1 - - - From bc61c4eb7552012761223d75870c8bee36d5acc0 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 12 Mar 2020 17:05:12 +0100 Subject: [PATCH 03/10] fix typos and fix oval affected products --- .../ntp/chronyd_specify_remote_server/oval/shared.xml | 4 +--- .../services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- .../guide/services/ntp/package_chrony_installed/rule.yml | 5 ++--- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml index 744ea925c9..3a3c2895ce 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml @@ -2,9 +2,7 @@ Specify a Remote NTP Server for Time Data - - multi_platform_all - + {{{- oval_affected(products) }}} A remote NTP Server for time synchronization should be specified (and dependencies are met) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index 062d382709..3befba9de8 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -5,7 +5,7 @@ prodtype: fedora,ocp4,ol8,rhel8 title: 'A remote NTP server for Chrony is configured' description: |- - chrony is a daemon which implements the Network Time Protocol (NTP) is designed to + chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml index 36cae252e0..1e99e241dd 100644 --- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -2,14 +2,13 @@ documentation_complete: true prodtype: fedora,ocp4,ol8,rhel8 -title: 'The Chrony package is enabled' +title: 'The Chrony package is installed' description: |- System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. - You can install the package with the following command: - 
# dnf install chrony
+ {{{ describe_package_install(package="chrony") }}} rationale: |- Time synchronization is important to support time sensitive security mechanisms like From 88ed5b1b1a44dcc9eb98cb1c514542059b7882e8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 17 Mar 2020 11:55:44 +0100 Subject: [PATCH 04/10] make rules available for all platforms --- .../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +- .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 - linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 -- linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 2 -- 4 files changed, 1 insertion(+), 6 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh index 9fdb46d419..6be57c219b 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_all . /usr/share/scap-security-guide/remediation_functions populate var_multiple_time_servers diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index 3befba9de8..912a359080 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true -prodtype: fedora,ocp4,ol8,rhel8 title: 'A remote NTP server for Chrony is configured' diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml index 1e99e241dd..6e2c455201 100644 --- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -1,7 +1,5 @@ documentation_complete: true -prodtype: fedora,ocp4,ol8,rhel8 - title: 'The Chrony package is installed' description: |- diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml index 37adcae640..e0b21d81af 100644 --- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -1,7 +1,5 @@ documentation_complete: true -prodtype: fedora,ocp4,ol8,rhel8 - title: 'The Chronyd service is enabled' description: |- From bd704e243821225440f1dd7c426922624cd6c08a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 17 Mar 2020 14:47:53 +0100 Subject: [PATCH 05/10] make oval accept also pool add test for it --- .../ntp/chronyd_specify_remote_server/oval/shared.xml | 2 +- .../tests/correct_pool.pass.sh | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml index 3a3c2895ce..31cde36bc9 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml @@ -20,7 +20,7 @@ /etc/chrony.conf - ^[\s]*server[\s]+.+$ + ^[\s]*(?:server|pool)[\s]+.+$ 1 diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh new file mode 100644 index 0000000000..aa6e8aea2a --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + + +yum -y install chrony + +echo "pool 0.pool.ntp.org" > /etc/chrony.conf From 387e404f2aa33ffd36305d899e5ba2846b0e99a8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 17 Mar 2020 14:58:52 +0100 Subject: [PATCH 06/10] modify bash macro not to add iburst --- shared/macros-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja index bc6c6f6486..01b9e62e7b 100644 --- a/shared/macros-bash.jinja +++ b/shared/macros-bash.jinja @@ -348,7 +348,7 @@ done {{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}} if ! grep -q '#[[:space:]]*server' "{{{ config_file }}}" ; then for server in $(echo "{{{ servers_list }}}" | tr ',' '\n') ; do - printf '\nserver %s iburst' "$server" >> "{{{ config_file }}}" + printf '\nserver %s' "$server" >> "{{{ config_file }}}" done else sed -i 's/#[ \t]*server/server/g' "{{{ config_file }}}" From eb953fba0979a795743bf669270709539dca5dc4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 17 Mar 2020 17:41:58 +0100 Subject: [PATCH 07/10] fix remediations --- .../ansible/shared.yml | 19 ++++++++++++++----- .../bash/shared.sh | 2 +- .../chronyd_specify_remote_server/rule.yml | 2 +- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml index ad93be3580..747226601b 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml @@ -5,9 +5,18 @@ # disruption = low - (xccdf-var var_multiple_time_servers) -- name: "Ensure Chrony is installed" - package: - name: "chrony" - state: present +- name: "Detect if chrony is already configured with pools or servers" + find: + path: /etc + patterns: chrony.conf + contains: '^[\s]*(?:server|pool)[\s]+[\w]+' + register: chrony_servers -{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}} +- name: "Add server configuration if none found in previous task" + lineinfile: + path: /etc/chrony.conf + line: 'server {{ item }}' + state: present + create: True + loop: '{{ var_multiple_time_servers.split(",") }}' + when: chrony_servers.matched == 0 diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh index 6be57c219b..e566219788 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh @@ -4,6 +4,6 @@ populate var_multiple_time_servers config_file="/etc/chrony.conf" -if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then +if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} fi diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index 912a359080..28224c2383 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'A remote NTP server for Chrony is configured' description: |- - chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to + Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. From 2106f716f5662f265a2e05b351e0fd7cb91dd698 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 17 Mar 2020 17:50:10 +0100 Subject: [PATCH 08/10] fix description --- .../ntp/chronyd_specify_remote_server/rule.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index 28224c2383..af250d0288 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -4,22 +4,22 @@ documentation_complete: true title: 'A remote NTP server for Chrony is configured' description: |- - Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to + Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly - accurate. More information on chrony can be found at + accurate. More information on chrony can be found at {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. - Chrony can be configured to be a client and/or a server. + Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate: 
server <remote-server>
Multiple servers may be configured. rationale: |- - If chrony is in use on the system proper configuration is vital to ensuring time + If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. severity: medium -platform: machine +platform: chrony identifiers: cce@rhel8: 82734-5 @@ -27,7 +27,7 @@ identifiers: references: cis@rhel8: 2.2.1.2 -ocil_clause: 'The remote NTP server for Chrony is not configured' +ocil_clause: 'the remote NTP server for Chrony is not configured' ocil: |- Run the following command and verify remote server is configured properly: From 6058590f752af869716a4bc166091d22cdda71e6 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 17 Mar 2020 18:07:00 +0100 Subject: [PATCH 09/10] fix cces --- .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 +- linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 4 ++-- 4 files changed, 4 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index af250d0288..fbd457d2de 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -22,7 +22,7 @@ severity: medium platform: chrony identifiers: - cce@rhel8: 82734-5 + cce@rhel8: 82873-1 references: cis@rhel8: 2.2.1.2 diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml index 6e2c455201..2549f48b71 100644 --- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -18,7 +18,7 @@ severity: medium platform: machine identifiers: - cce@rhel8: 82730-3 + cce@rhel8: 82874-9 references: cis@rhel8: 2.2.1.1 diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml index e0b21d81af..829d662afe 100644 --- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -21,12 +21,12 @@ severity: medium platform: machine identifiers: - cce@rhel8: 82729-5 + cce@rhel8: 82875-6 references: cis@rhel8: 2.2.1.2 -ocil_clause: 'The chronyd process is not running' +ocil_clause: 'the chronyd process is not running' ocil: '{{{ ocil_service_enabled(service="chronyd") }}}' From e70adc47f0c1cdcc7c652b5a6f19701aa61fe8f8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 18 Mar 2020 10:53:45 +0100 Subject: [PATCH 10/10] small wording changes --- .../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +- .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml index 747226601b..0c812bdc2a 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml @@ -12,7 +12,7 @@ contains: '^[\s]*(?:server|pool)[\s]+[\w]+' register: chrony_servers -- name: "Add server configuration if none found in previous task" +- name: "Configure remote time servers" lineinfile: path: /etc/chrony.conf line: 'server {{ item }}' diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index fbd457d2de..b2177fc76e 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -27,7 +27,7 @@ identifiers: references: cis@rhel8: 2.2.1.2 -ocil_clause: 'the remote NTP server for Chrony is not configured' +ocil_clause: 'a remote time server is not configured' ocil: |- Run the following command and verify remote server is configured properly: