commit ecedabee39e65415001ba59bf3c927329a10720f
Author: Watson Sato <wsato@redhat.com>
Date:   Mon Feb 28 11:40:02 2022 +0100

    Manual edited patch scap-security-guide-0.1.61-no_time_servers_chrony-PR_8187.patch.

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
index a7b2a62..25a8589 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
@@ -3,17 +3,25 @@
     {{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
       to continuously poll the time source servers.") }}}
     <criteria operator="OR">
-      <criteria operator="AND">
-        <criterion comment="check if maxpoll is set in /etc/ntp.conf"
-        test_ref="test_ntp_set_maxpoll" />
-        <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
-        test_ref="test_ntp_all_server_has_maxpoll"/>
+      <criteria operator="OR">
+        <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+          test_ref="test_ntp_no_server"/>
+        <criteria operator="AND">
+          <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+          test_ref="test_ntp_set_maxpoll" />
+          <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+          test_ref="test_ntp_all_server_has_maxpoll"/>
+        </criteria>
       </criteria>
-      <criteria operator="AND">
-        <criterion comment="check if maxpoll is set in /etc/chrony.conf"
-        test_ref="test_chrony_set_maxpoll" />
-        <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
-        test_ref="test_chrony_all_server_has_maxpoll"/>
+      <criteria operator="OR">
+        <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+          test_ref="test_chrony_no_server_nor_pool"/>
+        <criteria operator="AND">
+          <criterion comment="check if maxpoll is set in /etc/chrony.conf"
+          test_ref="test_chrony_set_maxpoll" />
+          <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
+          test_ref="test_chrony_all_server_has_maxpoll"/>
+        </criteria>
       </criteria>
     </criteria>
   </definition>
@@ -77,4 +85,26 @@
     <ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="check if no server entries have server or pool set in /etc/chrony.conf"
+  id="test_chrony_no_server_nor_pool" version="1">
+    <ind:object object_ref="obj_chrony_no_server_nor_pool" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
+    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+  id="test_ntp_no_server" version="1">
+    <ind:object object_ref="obj_ntp_no_server_nor_pool" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
+    <ind:filepath>/etc/ntp.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^server.*</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
 </def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 854e8e8..77af724 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -11,6 +11,8 @@ description: |-
     <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
     add the following:
     <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+    If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
+    to pass.
     {{% if product == "rhcos4" %}}
     <p>
     Note that if the remediation shipping with this content is being used, the
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
new file mode 100644
index 0000000..bbae20f
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all pool and server options
+sed -i "/^pool.*/d" /etc/chrony.conf
+sed -i "/^server.*/d" /etc/chrony.conf
+
+systemctl enable chronyd.service
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
new file mode 100644
index 0000000..2244e60
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
@@ -0,0 +1,33 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
+    <criteria comment="chrony.conf only has server directive">
+      <criterion test_ref="test_chronyd_server_directive_with_server" />
+      <criterion test_ref="test_chronyd_server_directive_no_pool" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+  comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
+  version="1">
+    <ind:object object_ref="object_chronyd_server_directive" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
+  id="object_chronyd_server_directive" version="1">
+    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
+  version="1">
+    <ind:object object_ref="object_chronyd_no_pool_directive" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
+  id="object_chronyd_no_pool_directive" version="1">
+    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
new file mode 100644
index 0000000..6dc24f1
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Ensure Chrony is only configured with the server directive'
+
+description: |-
+    Check that Chrony only has time sources configured with the <tt>server</tt> directive.
+
+rationale: |-
+    Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
+
+severity: medium
+
+platform: chrony
+
+warnings:
+  - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
+
+identifiers:
+    cce@rhel8: CCE-86077-5
+    cce@rhel9: CCE-87077-4
+
+references:
+    disa: CCI-001891
+    srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
+    stigid@rhel8: RHEL-08-030740
+
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
+
+ocil: |-
+    Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
+    <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
+    A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
new file mode 100644
index 0000000..d1ba075
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "" > /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
new file mode 100644
index 0000000..12a50eb
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+rm -f /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
new file mode 100644
index 0000000..bffa8b6
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "some line" > /etc/chrony.conf
+echo "another line" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
new file mode 100644
index 0000000..5527f38
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
new file mode 100644
index 0000000..616fe88
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^server.*" /etc/chrony.conf
+if ! grep "^pool.*" /etc/chrony.conf; then
+    echo "pool 0.pool.ntp.org" > /etc/chrony.conf
+fi
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
new file mode 100644
index 0000000..21a70dc
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 7e142a9..bfb3753 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -910,6 +910,7 @@ selections:
     # RHEL-08-030740
     # remediation fails because default configuration file contains pool instead of server keyword
     - chronyd_or_ntpd_set_maxpoll
+    - chronyd_server_directive
 
     # RHEL-08-030741
     - chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 0584677..ec92589 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -188,7 +188,6 @@ CCE-86073-4
 CCE-86074-2
 CCE-86075-9
 CCE-86076-7
-CCE-86077-5
 CCE-86078-3
 CCE-86079-1
 CCE-86080-9
@@ -1168,7 +1167,6 @@ CCE-87073-3
 CCE-87074-1
 CCE-87075-8
 CCE-87076-6
-CCE-87077-4
 CCE-87078-2
 CCE-87079-0
 CCE-87080-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 26391b9..2411f02 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -154,6 +154,7 @@ selections:
 - chronyd_client_only
 - chronyd_no_chronyc_network
 - chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
 - clean_components_post_updating
 - configure_bashrc_exec_tmux
 - configure_bind_crypto_policy
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 31a3264..f0a9601 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -165,6 +165,7 @@ selections:
 - chronyd_client_only
 - chronyd_no_chronyc_network
 - chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
 - clean_components_post_updating
 - configure_bashrc_exec_tmux
 - configure_bind_crypto_policy