scap-security-guide/SOURCES/scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch
2022-04-26 18:09:24 +00:00

196 lines
9.1 KiB
Diff

From bac8ca5091aa74eab66691fcb7a6ac0c944de9c6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 23 Mar 2022 17:50:18 +0100
Subject: [PATCH] Manually edited patch
scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch.
---
.../chronyd_or_ntpd_set_maxpoll/ansible/shared.yml | 6 +++---
.../ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 6 +++---
.../chronyd_or_ntpd_set_maxpoll/oval/shared.xml | 4 ++--
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 4 +++-
.../tests/chrony.pass.sh | 3 +++
.../tests/chrony_one_pool_configured.pass.sh | 14 ++++++++++++++
.../tests/chrony_one_pool_misconfigured.fail.sh | 14 ++++++++++++++
.../chrony_one_pool_missing_parameter.fail.sh | 14 ++++++++++++++
.../tests/chrony_one_server_misconfigured.fail.sh | 3 +++
9 files changed, 59 insertions(+), 9 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
index 3c83850..da0a622 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
# reboot = false
# strategy = restrict
# complexity = low
@@ -27,7 +27,7 @@
- name: Update the maxpoll values in /etc/chrony.conf
lineinfile:
path: /etc/chrony.conf
- regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
+ regex: '^((?:server|pool).*maxpoll) [0-9]+(\s+.*)$'
line: '\1 {{ var_time_service_set_maxpoll }}\2'
backrefs: yes
when: chrony_conf_exist_result.stat.exists
@@ -43,7 +43,7 @@
- name: Set the maxpoll values in /etc/chrony.conf
lineinfile:
path: /etc/chrony.conf
- regex: '(^server\s+((?!maxpoll).)*)$'
+ regex: '(^(?:server|pool)\s+((?!maxpoll).)*)$'
line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
backrefs: yes
when: chrony_conf_exist_result.stat.exists
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
index b23deff..54b1b73 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
@@ -8,9 +8,9 @@ config_file="/etc/ntp.conf"
# Set maxpoll values to var_time_service_set_maxpoll
-sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"
+sed -i "s/^\(\(server\|pool\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
-# Add maxpoll to server entries without maxpoll
-grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do
+# Add maxpoll to server or pool entries without maxpoll
+grep "^\(server\|pool\)" "$config_file" | grep -v maxpoll | while read -r line ; do
sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
done
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
index 25a8589..76f8101 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
@@ -46,7 +46,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_chrony_set_maxpoll" version="1">
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
- <ind:pattern operation="pattern match">^server[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -77,7 +77,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_chrony_all_server_has_maxpoll" version="1">
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
- <ind:pattern operation="pattern match">^server[\s]+[\S]+[\s]+(.*)</ind:pattern>
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+[\s]+(.*)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 77af724..bd5150b 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -9,8 +9,10 @@ description: |-
{{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
<tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
- add the following:
+ add the following after each `server` or `pool` entry:
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+ to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+ should be configured too.
If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
to pass.
{{% if product == "rhcos4" %}}
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
index 38f5031..60dfc29 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
@@ -5,6 +5,9 @@
yum remove -y ntp
+# Remove all pool options
+sed -i "/^pool.*/d" /etc/chrony.conf
+
if ! grep "^server" /etc/chrony.conf ; then
echo "server foo.example.net iburst maxpoll 10" >> /etc/chrony.conf
elif ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
new file mode 100644
index 0000000..6cbeb0e
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst maxpoll 16" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
new file mode 100644
index 0000000..12f2cda
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst maxpoll 18" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
new file mode 100644
index 0000000..1ef4798
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
index 0fc7840..6f86faf 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
@@ -5,6 +5,9 @@
yum remove -y ntp
+# Remove all pool options
+sed -i "/^pool.*/d" /etc/chrony.conf
+
if ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
sed -i "s/^server.*/& maxpoll 10/" /etc/chrony.conf
fi
--
2.34.1