cd3b90bce2
Update sudoers rules in RHEL8 STIG V1R5 Add missing SRG references in RHEL8 STIG V1R5 rules Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives Fix GRUB2 rule template to configure the module correctly on RHEL8 Update GRUB2 rule descriptions Make package_rear_installed not applicable on AARCH64 Resolves: rhbz#2045403 Resolves: rhbz#2014561 Resolves: rhbz#2020623
370 lines
17 KiB
Diff
370 lines
17 KiB
Diff
From bbafe0a7b4b9eb50bc622d9f9f3c0074fca932f9 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 9 Feb 2022 16:17:52 +0100
|
|
Subject: [PATCH 1/2] Pass the rule when no time server nor pool is set
|
|
|
|
If no time server or pool is configured, there is no entry to add
|
|
maxpoll option to, so the rule should evaluate to pass.
|
|
---
|
|
.../oval/shared.xml | 50 +++++++++++++++----
|
|
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +
|
|
.../tests/chrony_no_pool_nor_servers.pass.sh | 12 +++++
|
|
3 files changed, 54 insertions(+), 10 deletions(-)
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
|
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
index 780c2e2d0ba..76f810123f3 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
@@ -3,17 +3,25 @@
|
|
{{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
|
|
to continuously poll the time source servers.") }}}
|
|
<criteria operator="OR">
|
|
- <criteria operator="AND">
|
|
- <criterion comment="check if maxpoll is set in /etc/ntp.conf"
|
|
- test_ref="test_ntp_set_maxpoll" />
|
|
- <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
|
- test_ref="test_ntp_all_server_has_maxpoll"/>
|
|
+ <criteria operator="OR">
|
|
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
|
|
+ test_ref="test_ntp_no_server"/>
|
|
+ <criteria operator="AND">
|
|
+ <criterion comment="check if maxpoll is set in /etc/ntp.conf"
|
|
+ test_ref="test_ntp_set_maxpoll" />
|
|
+ <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
|
+ test_ref="test_ntp_all_server_has_maxpoll"/>
|
|
+ </criteria>
|
|
</criteria>
|
|
- <criteria operator="AND">
|
|
- <criterion comment="check if maxpoll is set in /etc/chrony.conf"
|
|
- test_ref="test_chrony_set_maxpoll" />
|
|
- <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
|
|
- test_ref="test_chrony_all_server_has_maxpoll"/>
|
|
+ <criteria operator="OR">
|
|
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
|
|
+ test_ref="test_chrony_no_server_nor_pool"/>
|
|
+ <criteria operator="AND">
|
|
+ <criterion comment="check if maxpoll is set in /etc/chrony.conf"
|
|
+ test_ref="test_chrony_set_maxpoll" />
|
|
+ <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
|
|
+ test_ref="test_chrony_all_server_has_maxpoll"/>
|
|
+ </criteria>
|
|
</criteria>
|
|
</criteria>
|
|
</definition>
|
|
@@ -77,4 +85,26 @@
|
|
<ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
|
|
</ind:textfilecontent54_state>
|
|
|
|
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
|
+ comment="check if no server entries have server or pool set in /etc/chrony.conf"
|
|
+ id="test_chrony_no_server_nor_pool" version="1">
|
|
+ <ind:object object_ref="obj_chrony_no_server_nor_pool" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
|
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
|
+ comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
|
+ id="test_ntp_no_server" version="1">
|
|
+ <ind:object object_ref="obj_ntp_no_server_nor_pool" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
|
|
+ <ind:filepath>/etc/ntp.conf</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^server.*</ind:pattern>
|
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
</def-group>
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
index 20e7467a7b5..c115ad3c115 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
@@ -13,6 +13,8 @@ description: |-
|
|
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
|
|
to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
|
|
should be configured too.
|
|
+ If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
|
|
+ to pass.
|
|
{{% if product == "rhcos4" %}}
|
|
<p>
|
|
Note that if the remediation shipping with this content is being used, the
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
|
new file mode 100644
|
|
index 00000000000..bbae20fc696
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
|
@@ -0,0 +1,12 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+#
|
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
+
|
|
+yum remove -y ntp
|
|
+
|
|
+# Remove all pool and server options
|
|
+sed -i "/^pool.*/d" /etc/chrony.conf
|
|
+sed -i "/^server.*/d" /etc/chrony.conf
|
|
+
|
|
+systemctl enable chronyd.service
|
|
|
|
From 60ef6eb2cce9e53ea256738ff2583b332155a318 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 11 Feb 2022 12:14:30 +0100
|
|
Subject: [PATCH 2/2] Add rule ensuring Chrony only uses server directive
|
|
|
|
This new rule only asserts that Chrony has at least one time source configured,
|
|
and that it is done with the 'server' directive.
|
|
No remediation is provided for rule, that is left for other specialized
|
|
rules.
|
|
---
|
|
.../chronyd_server_directive/oval/shared.xml | 33 +++++++++++++++++++
|
|
.../ntp/chronyd_server_directive/rule.yml | 32 ++++++++++++++++++
|
|
.../tests/file_empty.fail.sh | 6 ++++
|
|
.../tests/file_missing.fail.sh | 6 ++++
|
|
.../tests/line_missing.fail.sh | 7 ++++
|
|
.../tests/multiple_servers.pass.sh | 8 +++++
|
|
.../tests/only_pool.fail.sh | 9 +++++
|
|
.../tests/only_server.pass.sh | 6 ++++
|
|
products/rhel8/profiles/stig.profile | 1 +
|
|
products/rhel9/profiles/stig.profile | 1 +
|
|
shared/references/cce-redhat-avail.txt | 2 --
|
|
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
13 files changed, 111 insertions(+), 2 deletions(-)
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
|
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
|
new file mode 100644
|
|
index 00000000000..2244e608047
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
|
@@ -0,0 +1,33 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
+ {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
|
|
+ <criteria comment="chrony.conf only has server directive">
|
|
+ <criterion test_ref="test_chronyd_server_directive_with_server" />
|
|
+ <criterion test_ref="test_chronyd_server_directive_no_pool" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
|
|
+ comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
|
|
+ version="1">
|
|
+ <ind:object object_ref="object_chronyd_server_directive" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
|
|
+ id="object_chronyd_server_directive" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
|
+ comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
|
|
+ version="1">
|
|
+ <ind:object object_ref="object_chronyd_no_pool_directive" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
|
|
+ id="object_chronyd_no_pool_directive" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+</def-group>
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..6dc24f1be85
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
|
@@ -0,0 +1,32 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Ensure Chrony is only configured with the server directive'
|
|
+
|
|
+description: |-
|
|
+ Check that Chrony only has time sources configured with the <tt>server</tt> directive.
|
|
+
|
|
+rationale: |-
|
|
+ Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+platform: chrony
|
|
+
|
|
+warnings:
|
|
+ - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: CCE-86077-5
|
|
+ cce@rhel9: CCE-87077-4
|
|
+
|
|
+references:
|
|
+ disa: CCI-001891
|
|
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
|
|
+ stigid@rhel8: RHEL-08-030740
|
|
+
|
|
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
|
|
+
|
|
+ocil: |-
|
|
+ Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
|
|
+ <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
|
|
+ A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..d1ba0755198
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
|
@@ -0,0 +1,6 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
+# remediation = none
|
|
+
|
|
+echo "" > /etc/chrony.conf
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..12a50ebc3d2
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
|
@@ -0,0 +1,6 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
+# remediation = none
|
|
+
|
|
+rm -f /etc/chrony.conf
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..bffa8b62b1b
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
|
@@ -0,0 +1,7 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
+# remediation = none
|
|
+
|
|
+echo "some line" > /etc/chrony.conf
|
|
+echo "another line" >> /etc/chrony.conf
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
|
new file mode 100644
|
|
index 00000000000..5527f389316
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
|
@@ -0,0 +1,8 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
+# remediation = none
|
|
+
|
|
+sed -i "^pool.*" /etc/chrony.conf
|
|
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
|
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..616fe8844fc
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
|
@@ -0,0 +1,9 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
+# remediation = none
|
|
+
|
|
+sed -i "^server.*" /etc/chrony.conf
|
|
+if ! grep "^pool.*" /etc/chrony.conf; then
|
|
+ echo "pool 0.pool.ntp.org" > /etc/chrony.conf
|
|
+fi
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
|
new file mode 100644
|
|
index 00000000000..21a70dc4900
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
|
@@ -0,0 +1,6 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
+
|
|
+sed -i "^pool.*" /etc/chrony.conf
|
|
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
index 36f606ee461..2bd1fb54316 100644
|
|
--- a/products/rhel8/profiles/stig.profile
|
|
+++ b/products/rhel8/profiles/stig.profile
|
|
@@ -909,6 +909,7 @@ selections:
|
|
# RHEL-08-030740
|
|
# remediation fails because default configuration file contains pool instead of server keyword
|
|
- chronyd_or_ntpd_set_maxpoll
|
|
+ - chronyd_server_directive
|
|
|
|
# RHEL-08-030741
|
|
- chronyd_client_only
|
|
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
|
index 374932cfd32..0d4d7b0ff97 100644
|
|
--- a/products/rhel9/profiles/stig.profile
|
|
+++ b/products/rhel9/profiles/stig.profile
|
|
@@ -909,6 +909,7 @@ selections:
|
|
# RHEL-08-030740
|
|
# remediation fails because default configuration file contains pool instead of server keyword
|
|
- chronyd_or_ntpd_set_maxpoll
|
|
+ - chronyd_server_directive
|
|
|
|
# RHEL-08-030741
|
|
- chronyd_client_only
|
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
index 8c59c5d3201..0081fe1938f 100644
|
|
--- a/shared/references/cce-redhat-avail.txt
|
|
+++ b/shared/references/cce-redhat-avail.txt
|
|
@@ -152,7 +152,6 @@ CCE-86073-4
|
|
CCE-86074-2
|
|
CCE-86075-9
|
|
CCE-86076-7
|
|
-CCE-86077-5
|
|
CCE-86078-3
|
|
CCE-86079-1
|
|
CCE-86080-9
|
|
@@ -1079,7 +1078,6 @@ CCE-87073-3
|
|
CCE-87074-1
|
|
CCE-87075-8
|
|
CCE-87076-6
|
|
-CCE-87077-4
|
|
CCE-87078-2
|
|
CCE-87079-0
|
|
CCE-87080-8
|
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
index 5b06103d72e..7d44f8910d1 100644
|
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
@@ -160,6 +160,7 @@ selections:
|
|
- chronyd_client_only
|
|
- chronyd_no_chronyc_network
|
|
- chronyd_or_ntpd_set_maxpoll
|
|
+- chronyd_server_directive
|
|
- clean_components_post_updating
|
|
- configure_bashrc_exec_tmux
|
|
- configure_bind_crypto_policy
|
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
index 11e0ee9515a..91546d1d418 100644
|
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
@@ -171,6 +171,7 @@ selections:
|
|
- chronyd_client_only
|
|
- chronyd_no_chronyc_network
|
|
- chronyd_or_ntpd_set_maxpoll
|
|
+- chronyd_server_directive
|
|
- clean_components_post_updating
|
|
- configure_bashrc_exec_tmux
|
|
- configure_bind_crypto_policy
|