196 lines
9.1 KiB
Diff
196 lines
9.1 KiB
Diff
From bac8ca5091aa74eab66691fcb7a6ac0c944de9c6 Mon Sep 17 00:00:00 2001
|
|
From: Gabriel Becker <ggasparb@redhat.com>
|
|
Date: Wed, 23 Mar 2022 17:50:18 +0100
|
|
Subject: [PATCH] Manually edited patch
|
|
scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch.
|
|
|
|
---
|
|
.../chronyd_or_ntpd_set_maxpoll/ansible/shared.yml | 6 +++---
|
|
.../ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 6 +++---
|
|
.../chronyd_or_ntpd_set_maxpoll/oval/shared.xml | 4 ++--
|
|
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 4 +++-
|
|
.../tests/chrony.pass.sh | 3 +++
|
|
.../tests/chrony_one_pool_configured.pass.sh | 14 ++++++++++++++
|
|
.../tests/chrony_one_pool_misconfigured.fail.sh | 14 ++++++++++++++
|
|
.../chrony_one_pool_missing_parameter.fail.sh | 14 ++++++++++++++
|
|
.../tests/chrony_one_server_misconfigured.fail.sh | 3 +++
|
|
9 files changed, 59 insertions(+), 9 deletions(-)
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
|
|
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
|
|
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
|
|
index 3c83850..da0a622 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
|
|
@@ -1,4 +1,4 @@
|
|
-# platform = multi_platform_sle
|
|
+# platform = multi_platform_sle,multi_platform_rhel
|
|
# reboot = false
|
|
# strategy = restrict
|
|
# complexity = low
|
|
@@ -27,7 +27,7 @@
|
|
- name: Update the maxpoll values in /etc/chrony.conf
|
|
lineinfile:
|
|
path: /etc/chrony.conf
|
|
- regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
|
|
+ regex: '^((?:server|pool).*maxpoll) [0-9]+(\s+.*)$'
|
|
line: '\1 {{ var_time_service_set_maxpoll }}\2'
|
|
backrefs: yes
|
|
when: chrony_conf_exist_result.stat.exists
|
|
@@ -43,7 +43,7 @@
|
|
- name: Set the maxpoll values in /etc/chrony.conf
|
|
lineinfile:
|
|
path: /etc/chrony.conf
|
|
- regex: '(^server\s+((?!maxpoll).)*)$'
|
|
+ regex: '(^(?:server|pool)\s+((?!maxpoll).)*)$'
|
|
line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
|
|
backrefs: yes
|
|
when: chrony_conf_exist_result.stat.exists
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
|
|
index b23deff..54b1b73 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
|
|
@@ -8,9 +8,9 @@ config_file="/etc/ntp.conf"
|
|
|
|
|
|
# Set maxpoll values to var_time_service_set_maxpoll
|
|
-sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"
|
|
+sed -i "s/^\(\(server\|pool\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
|
|
|
|
-# Add maxpoll to server entries without maxpoll
|
|
-grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do
|
|
+# Add maxpoll to server or pool entries without maxpoll
|
|
+grep "^\(server\|pool\)" "$config_file" | grep -v maxpoll | while read -r line ; do
|
|
sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
|
|
done
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
index 25a8589..76f8101 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
|
@@ -46,7 +46,7 @@
|
|
</ind:textfilecontent54_test>
|
|
<ind:textfilecontent54_object id="obj_chrony_set_maxpoll" version="1">
|
|
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
- <ind:pattern operation="pattern match">^server[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
|
|
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
|
|
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
@@ -77,7 +77,7 @@
|
|
</ind:textfilecontent54_test>
|
|
<ind:textfilecontent54_object id="obj_chrony_all_server_has_maxpoll" version="1">
|
|
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
|
- <ind:pattern operation="pattern match">^server[\s]+[\S]+[\s]+(.*)</ind:pattern>
|
|
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+[\s]+(.*)</ind:pattern>
|
|
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
index 77af724..bd5150b 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
|
@@ -9,8 +9,10 @@ description: |-
|
|
{{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
|
|
<tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
|
|
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
|
|
- add the following:
|
|
+ add the following after each `server` or `pool` entry:
|
|
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
|
|
+ to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
|
|
+ should be configured too.
|
|
If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
|
|
to pass.
|
|
{{% if product == "rhcos4" %}}
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
|
|
index 38f5031..60dfc29 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
|
|
@@ -5,6 +5,9 @@
|
|
|
|
yum remove -y ntp
|
|
|
|
+# Remove all pool options
|
|
+sed -i "/^pool.*/d" /etc/chrony.conf
|
|
+
|
|
if ! grep "^server" /etc/chrony.conf ; then
|
|
echo "server foo.example.net iburst maxpoll 10" >> /etc/chrony.conf
|
|
elif ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
|
|
new file mode 100644
|
|
index 0000000..6cbeb0e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+#
|
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
+
|
|
+yum remove -y ntp
|
|
+
|
|
+# Remove all server or pool options
|
|
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
|
|
+
|
|
+echo "pool pool.ntp.org iburst maxpoll 16" >> /etc/chrony.conf
|
|
+
|
|
+systemctl enable chronyd.service
|
|
+
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
|
|
new file mode 100644
|
|
index 0000000..12f2cda
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+#
|
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
+
|
|
+yum remove -y ntp
|
|
+
|
|
+# Remove all server or pool options
|
|
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
|
|
+
|
|
+echo "pool pool.ntp.org iburst maxpoll 18" >> /etc/chrony.conf
|
|
+
|
|
+systemctl enable chronyd.service
|
|
+
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
|
|
new file mode 100644
|
|
index 0000000..1ef4798
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# packages = chrony
|
|
+#
|
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
+
|
|
+yum remove -y ntp
|
|
+
|
|
+# Remove all server options
|
|
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
|
|
+
|
|
+echo "pool pool.ntp.org iburst" >> /etc/chrony.conf
|
|
+
|
|
+systemctl enable chronyd.service
|
|
+
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
|
|
index 0fc7840..6f86faf 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
|
|
@@ -5,6 +5,9 @@
|
|
|
|
yum remove -y ntp
|
|
|
|
+# Remove all pool options
|
|
+sed -i "/^pool.*/d" /etc/chrony.conf
|
|
+
|
|
if ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
|
|
sed -i "s/^server.*/& maxpoll 10/" /etc/chrony.conf
|
|
fi
|
|
--
|
|
2.34.1
|
|
|