From 894d50c90ad9fd9431c8198a082f4742b168c7c8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 09:31:32 +0100
Subject: [PATCH 1/8] add rule
---
.../ntp/chronyd_run_as_chrony_user/rule.yml | 40 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 2 -
2 files changed, 40 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
new file mode 100644
index 0000000000..00a9e1d046
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora
+
+title: 'Ensure thatchronyd is running under chrony user account'
+
+description: |-
+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
+ synchronize system clocks across a variety of systems and use a source that is highly
+ accurate. More information on chrony can be found at
+ {{{ weblink(link="http://chrony.tuxfamily.org/) }}}.
+ Chrony can be configured to be a client and/or a server.
+ To ensure that chronyd is running under chrony user account, Add or edit the
+ <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include ' -u chrony ':
+ <pre>OPTIONS="-u chrony"</pre>
+ This recommendation only applies if chrony is in use on the system.
+
+rationale: |-
+ If chrony is in use on the system proper configuration is vital to ensuring time synchronization
+ is working properly.
+
+severity: medium
+
+platform: ntp
+
+references:
+ cis@rhel7: 2.2.1.2
+ cis@rhel8: 2.2.1.2
+
+identifiers:
+ cce@rhel7: 82878-0
+ cce@rhel8: 82879-8
+
+ocil_clause: 'chronyd is not running under chrony user account'
+
+ocil: |-
+ Run the following command and verify that <tt>-u chrony</tt> is included in <tt>OPTIONS</tt>:
+ <pre># grep "^OPTIONS" /etc/sysconfig/chronyd
+ OPTIONS="-u chrony"</pre>
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index a12a6355fc..53b8232431 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -3,8 +3,6 @@ CCE-82874-9
CCE-82875-6
CCE-82876-4
CCE-82877-2
-CCE-82878-0
-CCE-82879-8
CCE-82880-6
CCE-82882-2
CCE-82883-0
From 8a6213bc0a5cfe5005b3d4c9c2e331bc361a9eec Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 10:47:23 +0100
Subject: [PATCH 2/8] add chrony cpe to rhel7, rhel8, fedora
---
.../ntp/chronyd_run_as_chrony_user/rule.yml | 6 +++---
6 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
index 00a9e1d046..811ab8ac91 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -5,10 +5,10 @@ prodtype: rhel7,rhel8,fedora
title: 'Ensure thatchronyd is running under chrony user account'
description: |-
- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
+ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
- {{{ weblink(link="http://chrony.tuxfamily.org/) }}}.
+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
Chrony can be configured to be a client and/or a server.
To ensure that chronyd is running under chrony user account, Add or edit the
<tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include ' -u chrony ':
@@ -21,7 +21,7 @@ rationale: |-
severity: medium
-platform: ntp
+platform: chrony
references:
cis@rhel7: 2.2.1.2
From f32d587b8d6f916f0ed35000348de111a0ff3347 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 10:47:56 +0100
Subject: [PATCH 3/8] add remediations
---
.../ansible/shared.yml | 30 +++++++++++++++++++
.../chronyd_run_as_chrony_user/bash/shared.sh | 9 ++++++
2 files changed, 39 insertions(+)
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
new file mode 100644
index 0000000000..f9c29734c0
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
@@ -0,0 +1,30 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "detect if file is not empty or missing"
+ find:
+ path: /etc/sysconfig/
+ patterns: chronyd
+ contains: '^([\s]*OPTIONS=["]?[^"]*)("?)'
+ register: chronyd_file
+
+- name: "replace existing setting or create a new file, rest is handled by different task"
+ lineinfile:
+ path: /etc/sysconfig/chronyd
+ regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)'
+ line: '\1 -u chrony\2'
+ state: present
+ create: True
+ backrefs: True
+ when: chronyd_file.matched > 0
+
+- name: "put line into file, assume file was empty"
+ lineinfile:
+ path: /etc/sysconfig/chronyd
+ line: 'OPTIONS="-u chrony"'
+ state: present
+ create: True
+ when: chronyd_file.matched == 0
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
new file mode 100644
index 0000000000..4210e28560
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Red Hat Enterprise Linux 8
+
+if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
+ # trying to solve cases where the parameter after OPTIONS
+ #may or may not be enclosed in quotes
+ sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
+else
+ echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
+fi
From 93055dfbb432ca08fbe215ddc40235b3c815a604 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 10:48:31 +0100
Subject: [PATCH 4/8] add oval check
---
.../services/ntp/chronyd_run_as_chrony_user/oval/shared.xml | 1 +
1 file changed, 1 insertion(+)
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
new file mode 100644
index 0000000000..fe2936bc92
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u chrony.*["]?', missing_parameter_pass=false, missing_config_file_fail=true) }}}
From 4e1c628a1aca02a578aa1e9401c7d4c48367bc5d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 17 Mar 2020 10:48:45 +0100
Subject: [PATCH 5/8] add tests
---
.../ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh | 5 +++++
.../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh | 6 ++++++
.../chronyd_run_as_chrony_user/tests/empty_options.fail.sh | 5 +++++
.../chronyd_run_as_chrony_user/tests/file_missing.fail.sh | 5 +++++
.../ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh | 5 +++++
5 files changed, 26 insertions(+)
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh
new file mode 100644
index 0000000000..44783378ce
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install chrony
+
+echo 'OPTIONS="-u chrony"' > /etc/sysconfig/chronyd
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
new file mode 100644
index 0000000000..51f5b8663f
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+yum -y install ntp
+
+echo "" > /etc/sysconfig/ntpd
+echo "" > /usr/lib/systemd/system/ntpd.service
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh
new file mode 100644
index 0000000000..c38004ae8a
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install chrony
+
+echo 'OPTIONS=""' > /etc/sysconfig/chronyd
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..c5e5c97b85
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install chrony
+
+rm -f /etc/sysconfig/ntpd
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh
new file mode 100644
index 0000000000..72ef399539
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install chrony
+
+echo 'OPTIONS="-u root:root"' > /etc/sysconfig/chronyd
From 72e02f1d773b513cb2bcfac35cef2b17b036c7a6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 18 Mar 2020 12:09:26 +0100
Subject: [PATCH 6/8] fix wording and ansible
---
.../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 9 ++++-----
.../services/ntp/chronyd_run_as_chrony_user/rule.yml | 4 ++--
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
index f9c29734c0..42acdff9f4 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
@@ -4,24 +4,23 @@
# complexity = low
# disruption = low
-- name: "detect if file is not empty or missing"
+- name: "Detect if file /etc/sysconfig/chronyd is not empty or missing"
find:
path: /etc/sysconfig/
patterns: chronyd
contains: '^([\s]*OPTIONS=["]?[^"]*)("?)'
register: chronyd_file
-- name: "replace existing setting or create a new file, rest is handled by different task"
+- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user"
lineinfile:
path: /etc/sysconfig/chronyd
regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)'
line: '\1 -u chrony\2'
state: present
- create: True
backrefs: True
- when: chronyd_file.matched > 0
+ when: chronyd_file is defined and chronyd_file.matched > 0
-- name: "put line into file, assume file was empty"
+- name: "Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony user"
lineinfile:
path: /etc/sysconfig/chronyd
line: 'OPTIONS="-u chrony"'
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
index 811ab8ac91..cd641ce0cb 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: rhel7,rhel8,fedora
-title: 'Ensure thatchronyd is running under chrony user account'
+title: 'Ensure that chronyd is running under chrony user account'
description: |-
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
@@ -11,7 +11,7 @@ description: |-
{{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
Chrony can be configured to be a client and/or a server.
To ensure that chronyd is running under chrony user account, Add or edit the
- <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include ' -u chrony ':
+ <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include <tt>-u chrony</tt>:
<pre>OPTIONS="-u chrony"</pre>
This recommendation only applies if chrony is in use on the system.
From 0885706c1d1e9f2b0dfd1150736549e0d1a036c1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 18 Mar 2020 12:09:56 +0100
Subject: [PATCH 7/8] fix and add tests
---
.../tests/correct_multiple_options.pass.sh | 5 +++++
.../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh | 3 +--
.../chronyd_run_as_chrony_user/tests/file_missing.fail.sh | 2 +-
.../chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh | 5 +++++
4 files changed, 12 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh
new file mode 100644
index 0000000000..12f14a7e28
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install chrony
+
+echo 'OPTIONS="-g -u chrony"' > /etc/sysconfig/chronyd
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
index 51f5b8663f..85b4995681 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
@@ -2,5 +2,4 @@
yum -y install ntp
-echo "" > /etc/sysconfig/ntpd
-echo "" > /usr/lib/systemd/system/ntpd.service
+echo "" > /etc/sysconfig/chronyd
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
index c5e5c97b85..96787432db 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
@@ -2,4 +2,4 @@
yum -y install chrony
-rm -f /etc/sysconfig/ntpd
+rm -f /etc/sysconfig/chronyd
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh
new file mode 100644
index 0000000000..4c3a51181a
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+yum -y install chrony
+
+echo 'OPTIONS="-g"' > /etc/sysconfig/chronyd
From 1ffcfa459d95f335747e158adf1596323f72e518 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 18 Mar 2020 15:57:11 +0100
Subject: [PATCH 8/8] fix remediations to remove any previous user
configuration
fix test
---
.../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 11 +++++++++--
.../ntp/chronyd_run_as_chrony_user/bash/shared.sh | 2 +-
.../chronyd_run_as_chrony_user/tests/empty.fail.sh | 2 +-
3 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
index 42acdff9f4..e60dd11eb2 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
@@ -11,7 +11,14 @@
contains: '^([\s]*OPTIONS=["]?[^"]*)("?)'
register: chronyd_file
-- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user"
+- name: "Remove any previous configuration of user used to run chronyd process"
+ replace:
+ path: /etc/sysconfig/chronyd
+ regexp: '\s*-u\s+\w+\s*'
+ replace: ' '
+ when: chronyd_file is defined and chronyd_file.matched > 0
+
+- name: "Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user"
lineinfile:
path: /etc/sysconfig/chronyd
regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)'
@@ -26,4 +33,4 @@
line: 'OPTIONS="-u chrony"'
state: present
create: True
- when: chronyd_file.matched == 0
+ when: chronyd_file is defined and chronyd_file.matched == 0
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
index 4210e28560..83acc51db0 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
@@ -3,7 +3,7 @@
if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
# trying to solve cases where the parameter after OPTIONS
#may or may not be enclosed in quotes
- sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
+ sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
else
echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
fi
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
index 85b4995681..4a4f21ced7 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-yum -y install ntp
+yum -y install chrony
echo "" > /etc/sysconfig/chronyd