scap-security-guide/SOURCES/scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch

From bac8ca5091aa74eab66691fcb7a6ac0c944de9c6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 23 Mar 2022 17:50:18 +0100
Subject: [PATCH] Manually edited patch
 scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch.

---
 .../chronyd_or_ntpd_set_maxpoll/ansible/shared.yml |  6 +++---
 .../ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh |  6 +++---
 .../chronyd_or_ntpd_set_maxpoll/oval/shared.xml    |  4 ++--
 .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml       |  4 +++-
 .../tests/chrony.pass.sh                           |  3 +++
 .../tests/chrony_one_pool_configured.pass.sh       | 14 ++++++++++++++
 .../tests/chrony_one_pool_misconfigured.fail.sh    | 14 ++++++++++++++
 .../chrony_one_pool_missing_parameter.fail.sh      | 14 ++++++++++++++
 .../tests/chrony_one_server_misconfigured.fail.sh  |  3 +++
 9 files changed, 59 insertions(+), 9 deletions(-)
 create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
 create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
 create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
index 3c83850..da0a622 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
 # reboot = false
 # strategy = restrict
 # complexity = low
@@ -27,7 +27,7 @@
 - name: Update the maxpoll values in /etc/chrony.conf
   lineinfile:
     path: /etc/chrony.conf
-    regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
+    regex: '^((?:server|pool).*maxpoll) [0-9]+(\s+.*)$'
     line: '\1 {{ var_time_service_set_maxpoll }}\2'
     backrefs: yes
   when: chrony_conf_exist_result.stat.exists
@@ -43,7 +43,7 @@
 - name: Set the maxpoll values in /etc/chrony.conf
   lineinfile:
     path: /etc/chrony.conf
-    regex: '(^server\s+((?!maxpoll).)*)$'
+    regex: '(^(?:server|pool)\s+((?!maxpoll).)*)$'
     line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
     backrefs: yes
   when: chrony_conf_exist_result.stat.exists
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
index b23deff..54b1b73 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
@@ -8,9 +8,9 @@ config_file="/etc/ntp.conf"
 
 
 # Set maxpoll values to var_time_service_set_maxpoll
-sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"
+sed -i "s/^\(\(server\|pool\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
 
-# Add maxpoll to server entries without maxpoll
-grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do
+# Add maxpoll to server or pool entries without maxpoll
+grep "^\(server\|pool\)" "$config_file" | grep -v maxpoll | while read -r line ; do
         sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
 done
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
index 25a8589..76f8101 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
@@ -46,7 +46,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_chrony_set_maxpoll" version="1">
     <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-    <ind:pattern operation="pattern match">^server[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
+    <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -77,7 +77,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_chrony_all_server_has_maxpoll" version="1">
     <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-    <ind:pattern operation="pattern match">^server[\s]+[\S]+[\s]+(.*)</ind:pattern>
+    <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+[\s]+(.*)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 77af724..bd5150b 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -9,8 +9,10 @@ description: |-
     {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
     <tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
     <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
-    add the following:
+    add the following after each `server` or `pool` entry:
     <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+    to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+    should be configured too.
     If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
     to pass.
     {{% if product == "rhcos4" %}}
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
index 38f5031..60dfc29 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
@@ -5,6 +5,9 @@
 
 yum remove -y ntp
 
+# Remove all pool options
+sed -i "/^pool.*/d" /etc/chrony.conf
+
 if ! grep "^server" /etc/chrony.conf ; then
     echo "server foo.example.net iburst maxpoll 10" >> /etc/chrony.conf
 elif ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
new file mode 100644
index 0000000..6cbeb0e
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst maxpoll 16" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
new file mode 100644
index 0000000..12f2cda
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst maxpoll 18" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
new file mode 100644
index 0000000..1ef4798
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
index 0fc7840..6f86faf 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
@@ -5,6 +5,9 @@
 
 yum remove -y ntp
 
+# Remove all pool options
+sed -i "/^pool.*/d" /etc/chrony.conf
+
 if ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
     sed -i "s/^server.*/& maxpoll 10/" /etc/chrony.conf
 fi
-- 
2.34.1