scap-security-guide/scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch

370 lines
17 KiB
Diff

From bbafe0a7b4b9eb50bc622d9f9f3c0074fca932f9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 9 Feb 2022 16:17:52 +0100
Subject: [PATCH 1/2] Pass the rule when no time server nor pool is set
If no time server or pool is configured, there is no entry to add
maxpoll option to, so the rule should evaluate to pass.
---
.../oval/shared.xml | 50 +++++++++++++++----
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +
.../tests/chrony_no_pool_nor_servers.pass.sh | 12 +++++
3 files changed, 54 insertions(+), 10 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
index 780c2e2d0ba..76f810123f3 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
@@ -3,17 +3,25 @@
{{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
to continuously poll the time source servers.") }}}
<criteria operator="OR">
- <criteria operator="AND">
- <criterion comment="check if maxpoll is set in /etc/ntp.conf"
- test_ref="test_ntp_set_maxpoll" />
- <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
- test_ref="test_ntp_all_server_has_maxpoll"/>
+ <criteria operator="OR">
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+ test_ref="test_ntp_no_server"/>
+ <criteria operator="AND">
+ <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+ test_ref="test_ntp_set_maxpoll" />
+ <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+ test_ref="test_ntp_all_server_has_maxpoll"/>
+ </criteria>
</criteria>
- <criteria operator="AND">
- <criterion comment="check if maxpoll is set in /etc/chrony.conf"
- test_ref="test_chrony_set_maxpoll" />
- <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
- test_ref="test_chrony_all_server_has_maxpoll"/>
+ <criteria operator="OR">
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+ test_ref="test_chrony_no_server_nor_pool"/>
+ <criteria operator="AND">
+ <criterion comment="check if maxpoll is set in /etc/chrony.conf"
+ test_ref="test_chrony_set_maxpoll" />
+ <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
+ test_ref="test_chrony_all_server_has_maxpoll"/>
+ </criteria>
</criteria>
</criteria>
</definition>
@@ -77,4 +85,26 @@
<ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
</ind:textfilecontent54_state>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check if no server entries have server or pool set in /etc/chrony.conf"
+ id="test_chrony_no_server_nor_pool" version="1">
+ <ind:object object_ref="obj_chrony_no_server_nor_pool" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+ id="test_ntp_no_server" version="1">
+ <ind:object object_ref="obj_ntp_no_server_nor_pool" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
+ <ind:filepath>/etc/ntp.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^server.*</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 20e7467a7b5..c115ad3c115 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -13,6 +13,8 @@ description: |-
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
should be configured too.
+ If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
+ to pass.
{{% if product == "rhcos4" %}}
<p>
Note that if the remediation shipping with this content is being used, the
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
new file mode 100644
index 00000000000..bbae20fc696
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all pool and server options
+sed -i "/^pool.*/d" /etc/chrony.conf
+sed -i "/^server.*/d" /etc/chrony.conf
+
+systemctl enable chronyd.service
From 60ef6eb2cce9e53ea256738ff2583b332155a318 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 11 Feb 2022 12:14:30 +0100
Subject: [PATCH 2/2] Add rule ensuring Chrony only uses server directive
This new rule only asserts that Chrony has at least one time source configured,
and that it is done with the 'server' directive.
No remediation is provided for rule, that is left for other specialized
rules.
---
.../chronyd_server_directive/oval/shared.xml | 33 +++++++++++++++++++
.../ntp/chronyd_server_directive/rule.yml | 32 ++++++++++++++++++
.../tests/file_empty.fail.sh | 6 ++++
.../tests/file_missing.fail.sh | 6 ++++
.../tests/line_missing.fail.sh | 7 ++++
.../tests/multiple_servers.pass.sh | 8 +++++
.../tests/only_pool.fail.sh | 9 +++++
.../tests/only_server.pass.sh | 6 ++++
products/rhel8/profiles/stig.profile | 1 +
products/rhel9/profiles/stig.profile | 1 +
shared/references/cce-redhat-avail.txt | 2 --
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
13 files changed, 111 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
new file mode 100644
index 00000000000..2244e608047
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
@@ -0,0 +1,33 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
+ <criteria comment="chrony.conf only has server directive">
+ <criterion test_ref="test_chronyd_server_directive_with_server" />
+ <criterion test_ref="test_chronyd_server_directive_no_pool" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+ comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
+ version="1">
+ <ind:object object_ref="object_chronyd_server_directive" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
+ id="object_chronyd_server_directive" version="1">
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
+ version="1">
+ <ind:object object_ref="object_chronyd_no_pool_directive" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
+ id="object_chronyd_no_pool_directive" version="1">
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
new file mode 100644
index 00000000000..6dc24f1be85
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Ensure Chrony is only configured with the server directive'
+
+description: |-
+ Check that Chrony only has time sources configured with the <tt>server</tt> directive.
+
+rationale: |-
+ Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
+
+severity: medium
+
+platform: chrony
+
+warnings:
+ - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
+
+identifiers:
+ cce@rhel8: CCE-86077-5
+ cce@rhel9: CCE-87077-4
+
+references:
+ disa: CCI-001891
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
+ stigid@rhel8: RHEL-08-030740
+
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
+
+ocil: |-
+ Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
+ <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
+ A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
new file mode 100644
index 00000000000..d1ba0755198
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "" > /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
new file mode 100644
index 00000000000..12a50ebc3d2
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+rm -f /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
new file mode 100644
index 00000000000..bffa8b62b1b
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "some line" > /etc/chrony.conf
+echo "another line" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
new file mode 100644
index 00000000000..5527f389316
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
new file mode 100644
index 00000000000..616fe8844fc
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^server.*" /etc/chrony.conf
+if ! grep "^pool.*" /etc/chrony.conf; then
+ echo "pool 0.pool.ntp.org" > /etc/chrony.conf
+fi
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
new file mode 100644
index 00000000000..21a70dc4900
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 36f606ee461..2bd1fb54316 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -909,6 +909,7 @@ selections:
# RHEL-08-030740
# remediation fails because default configuration file contains pool instead of server keyword
- chronyd_or_ntpd_set_maxpoll
+ - chronyd_server_directive
# RHEL-08-030741
- chronyd_client_only
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index 374932cfd32..0d4d7b0ff97 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -909,6 +909,7 @@ selections:
# RHEL-08-030740
# remediation fails because default configuration file contains pool instead of server keyword
- chronyd_or_ntpd_set_maxpoll
+ - chronyd_server_directive
# RHEL-08-030741
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 8c59c5d3201..0081fe1938f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -152,7 +152,6 @@ CCE-86073-4
CCE-86074-2
CCE-86075-9
CCE-86076-7
-CCE-86077-5
CCE-86078-3
CCE-86079-1
CCE-86080-9
@@ -1079,7 +1078,6 @@ CCE-87073-3
CCE-87074-1
CCE-87075-8
CCE-87076-6
-CCE-87077-4
CCE-87078-2
CCE-87079-0
CCE-87080-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 5b06103d72e..7d44f8910d1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -160,6 +160,7 @@ selections:
- chronyd_client_only
- chronyd_no_chronyc_network
- chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
- clean_components_post_updating
- configure_bashrc_exec_tmux
- configure_bind_crypto_policy
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 11e0ee9515a..91546d1d418 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -171,6 +171,7 @@ selections:
- chronyd_client_only
- chronyd_no_chronyc_network
- chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
- clean_components_post_updating
- configure_bashrc_exec_tmux
- configure_bind_crypto_policy