|
 |
07cb6b |
From bbafe0a7b4b9eb50bc622d9f9f3c0074fca932f9 Mon Sep 17 00:00:00 2001
|
|
|
07cb6b |
From: Watson Sato <wsato@redhat.com>
|
|
|
07cb6b |
Date: Wed, 9 Feb 2022 16:17:52 +0100
|
|
|
07cb6b |
Subject: [PATCH 1/2] Pass the rule when no time server nor pool is set
|
|
|
07cb6b |
|
|
|
07cb6b |
If no time server or pool is configured, there is no entry to add
|
|
|
07cb6b |
maxpoll option to, so the rule should evaluate to pass.
|
|
|
07cb6b |
---
|
|
|
07cb6b |
.../oval/shared.xml | 50 +++++++++++++++----
|
|
|
07cb6b |
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +
|
|
|
07cb6b |
.../tests/chrony_no_pool_nor_servers.pass.sh | 12 +++++
|
|
|
07cb6b |
3 files changed, 54 insertions(+), 10 deletions(-)
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
|
07cb6b |
index 780c2e2d0ba..76f810123f3 100644
|
|
|
07cb6b |
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
|
07cb6b |
@@ -3,17 +3,25 @@
|
|
|
07cb6b |
{{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
|
|
|
07cb6b |
to continuously poll the time source servers.") }}}
|
|
|
07cb6b |
<criteria operator="OR">
|
|
|
07cb6b |
- <criteria operator="AND">
|
|
|
07cb6b |
-
|
|
|
07cb6b |
- test_ref="test_ntp_set_maxpoll" />
|
|
|
07cb6b |
-
|
|
|
07cb6b |
- test_ref="test_ntp_all_server_has_maxpoll"/>
|
|
|
07cb6b |
+ <criteria operator="OR">
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ test_ref="test_ntp_no_server"/>
|
|
|
07cb6b |
+ <criteria operator="AND">
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ test_ref="test_ntp_set_maxpoll" />
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ test_ref="test_ntp_all_server_has_maxpoll"/>
|
|
|
07cb6b |
+ </criteria>
|
|
|
07cb6b |
</criteria>
|
|
|
07cb6b |
- <criteria operator="AND">
|
|
|
07cb6b |
-
|
|
|
07cb6b |
- test_ref="test_chrony_set_maxpoll" />
|
|
|
07cb6b |
-
|
|
|
07cb6b |
- test_ref="test_chrony_all_server_has_maxpoll"/>
|
|
|
07cb6b |
+ <criteria operator="OR">
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ test_ref="test_chrony_no_server_nor_pool"/>
|
|
|
07cb6b |
+ <criteria operator="AND">
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ test_ref="test_chrony_set_maxpoll" />
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ test_ref="test_chrony_all_server_has_maxpoll"/>
|
|
|
07cb6b |
+ </criteria>
|
|
|
07cb6b |
</criteria>
|
|
|
07cb6b |
</criteria>
|
|
|
07cb6b |
</definition>
|
|
|
07cb6b |
@@ -77,4 +85,26 @@
|
|
|
07cb6b |
<ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
|
|
|
07cb6b |
</ind:textfilecontent54_state>
|
|
|
07cb6b |
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ comment="check if no server entries have server or pool set in /etc/chrony.conf"
|
|
|
07cb6b |
+ id="test_chrony_no_server_nor_pool" version="1">
|
|
|
07cb6b |
+ <ind:object object_ref="obj_chrony_no_server_nor_pool" />
|
|
|
07cb6b |
+ </ind:textfilecontent54_test>
|
|
|
07cb6b |
+ <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
|
|
|
07cb6b |
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
|
07cb6b |
+ <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
|
|
|
07cb6b |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ </ind:textfilecontent54_object>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
|
|
07cb6b |
+ id="test_ntp_no_server" version="1">
|
|
|
07cb6b |
+ <ind:object object_ref="obj_ntp_no_server_nor_pool" />
|
|
|
07cb6b |
+ </ind:textfilecontent54_test>
|
|
|
07cb6b |
+ <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
|
|
|
07cb6b |
+ <ind:filepath>/etc/ntp.conf</ind:filepath>
|
|
|
07cb6b |
+ <ind:pattern operation="pattern match">^server.*</ind:pattern>
|
|
|
07cb6b |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ </ind:textfilecontent54_object>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
</def-group>
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
|
07cb6b |
index 20e7467a7b5..c115ad3c115 100644
|
|
|
07cb6b |
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
|
07cb6b |
@@ -13,6 +13,8 @@ description: |-
|
|
|
07cb6b |
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}
|
|
|
07cb6b |
to server directives. If using chrony any pool directives
|
|
|
07cb6b |
should be configured too.
|
|
|
07cb6b |
+ If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
|
|
|
07cb6b |
+ to pass.
|
|
|
07cb6b |
{{% if product == "rhcos4" %}}
|
|
|
07cb6b |
|
|
|
07cb6b |
Note that if the remediation shipping with this content is being used, the
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..bbae20fc696
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
|
|
07cb6b |
@@ -0,0 +1,12 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+#
|
|
|
07cb6b |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+yum remove -y ntp
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+# Remove all pool and server options
|
|
|
07cb6b |
+sed -i "/^pool.*/d" /etc/chrony.conf
|
|
|
07cb6b |
+sed -i "/^server.*/d" /etc/chrony.conf
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+systemctl enable chronyd.service
|
|
|
07cb6b |
|
|
|
07cb6b |
From 60ef6eb2cce9e53ea256738ff2583b332155a318 Mon Sep 17 00:00:00 2001
|
|
|
07cb6b |
From: Watson Sato <wsato@redhat.com>
|
|
|
07cb6b |
Date: Fri, 11 Feb 2022 12:14:30 +0100
|
|
|
07cb6b |
Subject: [PATCH 2/2] Add rule ensuring Chrony only uses server directive
|
|
|
07cb6b |
|
|
|
07cb6b |
This new rule only asserts that Chrony has at least one time source configured,
|
|
|
07cb6b |
and that it is done with the 'server' directive.
|
|
|
07cb6b |
No remediation is provided for rule, that is left for other specialized
|
|
|
07cb6b |
rules.
|
|
|
07cb6b |
---
|
|
|
07cb6b |
.../chronyd_server_directive/oval/shared.xml | 33 +++++++++++++++++++
|
|
|
07cb6b |
.../ntp/chronyd_server_directive/rule.yml | 32 ++++++++++++++++++
|
|
|
07cb6b |
.../tests/file_empty.fail.sh | 6 ++++
|
|
|
07cb6b |
.../tests/file_missing.fail.sh | 6 ++++
|
|
|
07cb6b |
.../tests/line_missing.fail.sh | 7 ++++
|
|
|
07cb6b |
.../tests/multiple_servers.pass.sh | 8 +++++
|
|
|
07cb6b |
.../tests/only_pool.fail.sh | 9 +++++
|
|
|
07cb6b |
.../tests/only_server.pass.sh | 6 ++++
|
|
|
07cb6b |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
07cb6b |
products/rhel9/profiles/stig.profile | 1 +
|
|
|
07cb6b |
shared/references/cce-redhat-avail.txt | 2 --
|
|
|
07cb6b |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
07cb6b |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
07cb6b |
13 files changed, 111 insertions(+), 2 deletions(-)
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
|
|
07cb6b |
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..2244e608047
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
|
|
07cb6b |
@@ -0,0 +1,33 @@
|
|
|
07cb6b |
+<def-group>
|
|
|
07cb6b |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
07cb6b |
+ {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
|
|
|
07cb6b |
+ <criteria comment="chrony.conf only has server directive">
|
|
|
07cb6b |
+ <criterion test_ref="test_chronyd_server_directive_with_server" />
|
|
|
07cb6b |
+ <criterion test_ref="test_chronyd_server_directive_no_pool" />
|
|
|
07cb6b |
+ </criteria>
|
|
|
07cb6b |
+ </definition>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
|
|
|
07cb6b |
+ version="1">
|
|
|
07cb6b |
+ <ind:object object_ref="object_chronyd_server_directive" />
|
|
|
07cb6b |
+ </ind:textfilecontent54_test>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ id="object_chronyd_server_directive" version="1">
|
|
|
07cb6b |
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
|
07cb6b |
+ <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
|
|
|
07cb6b |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ </ind:textfilecontent54_object>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
|
|
|
07cb6b |
+ version="1">
|
|
|
07cb6b |
+ <ind:object object_ref="object_chronyd_no_pool_directive" />
|
|
|
07cb6b |
+ </ind:textfilecontent54_test>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ id="object_chronyd_no_pool_directive" version="1">
|
|
|
07cb6b |
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
|
07cb6b |
+ <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
|
|
|
07cb6b |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ </ind:textfilecontent54_object>
|
|
|
07cb6b |
+</def-group>
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..6dc24f1be85
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
|
|
07cb6b |
@@ -0,0 +1,32 @@
|
|
|
07cb6b |
+documentation_complete: true
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+title: 'Ensure Chrony is only configured with the server directive'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+description: |-
|
|
|
07cb6b |
+ Check that Chrony only has time sources configured with the <tt>server</tt> directive.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+rationale: |-
|
|
|
07cb6b |
+ Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+severity: medium
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+platform: chrony
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+warnings:
|
|
|
07cb6b |
+ - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+identifiers:
|
|
|
07cb6b |
+ cce@rhel8: CCE-86077-5
|
|
|
07cb6b |
+ cce@rhel9: CCE-87077-4
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+references:
|
|
|
07cb6b |
+ disa: CCI-001891
|
|
|
07cb6b |
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
|
|
|
07cb6b |
+ stigid@rhel8: RHEL-08-030740
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil: |-
|
|
|
07cb6b |
+ Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
|
|
|
07cb6b |
+ # grep -E "^(server|pool)" /etc/chrony.conf
|
|
|
07cb6b |
+ A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..d1ba0755198
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,6 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
07cb6b |
+# remediation = none
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+echo "" > /etc/chrony.conf
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..12a50ebc3d2
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,6 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
07cb6b |
+# remediation = none
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+rm -f /etc/chrony.conf
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..bffa8b62b1b
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,7 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
07cb6b |
+# remediation = none
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+echo "some line" > /etc/chrony.conf
|
|
|
07cb6b |
+echo "another line" >> /etc/chrony.conf
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..5527f389316
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
|
|
07cb6b |
@@ -0,0 +1,8 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
07cb6b |
+# remediation = none
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+sed -i "^pool.*" /etc/chrony.conf
|
|
|
07cb6b |
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
|
|
07cb6b |
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..616fe8844fc
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,9 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
07cb6b |
+# remediation = none
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+sed -i "^server.*" /etc/chrony.conf
|
|
|
07cb6b |
+if ! grep "^pool.*" /etc/chrony.conf; then
|
|
|
07cb6b |
+ echo "pool 0.pool.ntp.org" > /etc/chrony.conf
|
|
|
07cb6b |
+fi
|
|
|
07cb6b |
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..21a70dc4900
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
|
|
07cb6b |
@@ -0,0 +1,6 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+# packages = chrony
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+sed -i "^pool.*" /etc/chrony.conf
|
|
|
07cb6b |
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
|
|
07cb6b |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
07cb6b |
index 36f606ee461..2bd1fb54316 100644
|
|
|
07cb6b |
--- a/products/rhel8/profiles/stig.profile
|
|
|
07cb6b |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
07cb6b |
@@ -909,6 +909,7 @@ selections:
|
|
|
07cb6b |
# RHEL-08-030740
|
|
|
07cb6b |
# remediation fails because default configuration file contains pool instead of server keyword
|
|
|
07cb6b |
- chronyd_or_ntpd_set_maxpoll
|
|
|
07cb6b |
+ - chronyd_server_directive
|
|
|
07cb6b |
|
|
|
07cb6b |
# RHEL-08-030741
|
|
|
07cb6b |
- chronyd_client_only
|
|
|
07cb6b |
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
|
|
07cb6b |
index 374932cfd32..0d4d7b0ff97 100644
|
|
|
07cb6b |
--- a/products/rhel9/profiles/stig.profile
|
|
|
07cb6b |
+++ b/products/rhel9/profiles/stig.profile
|
|
|
07cb6b |
@@ -909,6 +909,7 @@ selections:
|
|
|
07cb6b |
# RHEL-08-030740
|
|
|
07cb6b |
# remediation fails because default configuration file contains pool instead of server keyword
|
|
|
07cb6b |
- chronyd_or_ntpd_set_maxpoll
|
|
|
07cb6b |
+ - chronyd_server_directive
|
|
|
07cb6b |
|
|
|
07cb6b |
# RHEL-08-030741
|
|
|
07cb6b |
- chronyd_client_only
|
|
|
07cb6b |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
07cb6b |
index 8c59c5d3201..0081fe1938f 100644
|
|
|
07cb6b |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
07cb6b |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
07cb6b |
@@ -152,7 +152,6 @@ CCE-86073-4
|
|
|
07cb6b |
CCE-86074-2
|
|
|
07cb6b |
CCE-86075-9
|
|
|
07cb6b |
CCE-86076-7
|
|
|
07cb6b |
-CCE-86077-5
|
|
|
07cb6b |
CCE-86078-3
|
|
|
07cb6b |
CCE-86079-1
|
|
|
07cb6b |
CCE-86080-9
|
|
|
07cb6b |
@@ -1079,7 +1078,6 @@ CCE-87073-3
|
|
|
07cb6b |
CCE-87074-1
|
|
|
07cb6b |
CCE-87075-8
|
|
|
07cb6b |
CCE-87076-6
|
|
|
07cb6b |
-CCE-87077-4
|
|
|
07cb6b |
CCE-87078-2
|
|
|
07cb6b |
CCE-87079-0
|
|
|
07cb6b |
CCE-87080-8
|
|
|
07cb6b |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
07cb6b |
index 5b06103d72e..7d44f8910d1 100644
|
|
|
07cb6b |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
07cb6b |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
07cb6b |
@@ -160,6 +160,7 @@ selections:
|
|
|
07cb6b |
- chronyd_client_only
|
|
|
07cb6b |
- chronyd_no_chronyc_network
|
|
|
07cb6b |
- chronyd_or_ntpd_set_maxpoll
|
|
|
07cb6b |
+- chronyd_server_directive
|
|
|
07cb6b |
- clean_components_post_updating
|
|
|
07cb6b |
- configure_bashrc_exec_tmux
|
|
|
07cb6b |
- configure_bind_crypto_policy
|
|
|
07cb6b |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
07cb6b |
index 11e0ee9515a..91546d1d418 100644
|
|
|
07cb6b |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
07cb6b |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
07cb6b |
@@ -171,6 +171,7 @@ selections:
|
|
|
07cb6b |
- chronyd_client_only
|
|
|
07cb6b |
- chronyd_no_chronyc_network
|
|
|
07cb6b |
- chronyd_or_ntpd_set_maxpoll
|
|
|
07cb6b |
+- chronyd_server_directive
|
|
|
07cb6b |
- clean_components_post_updating
|
|
|
07cb6b |
- configure_bashrc_exec_tmux
|
|
|
07cb6b |
- configure_bind_crypto_policy
|