Merge pull request #11958 from jan-cerny/issue11934

Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml

@@ -11,14 +11,14 @@
     path: /etc/ntp.conf
   register: ntp_conf_exist_result
 
-- name: "{{{ rule_title }}} - Update the Maxpoll Values in /etc/ntp.conf"
+- name: "{{{ rule_title }}} - Update the maxpoll Values in /etc/ntp.conf"
   ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: '^(server.*maxpoll)[ ]+[0-9]+(.*)$'
     replace: '\1 {{ var_time_service_set_maxpoll }}\2'
   when: ntp_conf_exist_result.stat.exists
 
-- name: "{{{ rule_title }}} - Set the Maxpoll Values in /etc/ntp.conf"
+- name: "{{{ rule_title }}} - Set the maxpoll Values in /etc/ntp.conf"
   ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: '(^server\s+((?!maxpoll).)*)$'
@@ -34,29 +34,39 @@
     path: {{{ chrony_conf_path }}}
   register: chrony_conf_exist_result
 
-- name: "{{{ rule_title }}} - Set Chrony Path Facts"
-  ansible.builtin.set_fact:
-    chrony_path: {{{ chrony_conf_path }}}
+- name: "{{{ rule_title }}} - Update the maxpoll Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{{ chrony_conf_path }}}"
+    regexp: '^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$'
+    replace: '\1 {{ var_time_service_set_maxpoll }}\2'
+  when: chrony_conf_exist_result.stat.exists
+
+- name: "{{{ rule_title }}} - Set the maxpoll Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{{ chrony_conf_path }}}"
+    regexp: '(^(?:server|pool|peer)\s+((?!maxpoll).)*)$'
+    replace: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
+  when: chrony_conf_exist_result.stat.exists
 
-- name: "{{{ rule_title }}} - Get Conf Files from {{ chrony_path | dirname }}"
+- name: "{{{ rule_title }}} - Get Conf Files from {{{ chrony_d_path }}}"
   ansible.builtin.find:
-    path: "{{ chrony_path | dirname }}"
+    path: "{{{ chrony_d_path }}}"
     patterns: '*.conf'
     file_type: file
-  register: chrony_conf_files
+  register: chrony_d_conf_files
 
-- name: "{{{ rule_title }}} - Update the Maxpoll Values in {{{ chrony_conf_path }}}"
+- name: "{{{ rule_title }}} - Update the maxpoll Values in {{{ chrony_d_path }}}"
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$'
     replace: '\1 {{ var_time_service_set_maxpoll }}\2'
-  loop: '{{ chrony_conf_files.files }}'
-  when: chrony_conf_files.matched
+  loop: '{{ chrony_d_conf_files.files }}'
+  when: chrony_d_conf_files.matched
 
-- name: "{{{ rule_title }}} - Set the Maxpoll Values in {{{ chrony_conf_path }}}"
+- name: "{{{ rule_title }}} - Set the maxpoll Values in {{{ chrony_d_path }}}"
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '(^(?:server|pool|peer)\s+((?!maxpoll).)*)$'
     replace: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
-  loop: '{{ chrony_conf_files.files }}'
-  when: chrony_conf_files.matched
+  loop: '{{ chrony_d_conf_files.files }}'
+  when: chrony_d_conf_files.matched

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh

@@ -11,22 +11,19 @@ pof="/usr/sbin/pidof"
 
 CONFIG_FILES="/etc/ntp.conf"
 $pof ntpd || {
-    CHRONY_NAME={{{ chrony_conf_path }}}
-    CHRONY_PATH=${CHRONY_NAME%%.*}
-    CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf')
+    CHRONY_D_PATH={{{ chrony_d_path }}}
+    mapfile -t CONFIG_FILES < <(find ${CHRONY_D_PATH}.* -type f -name '*.conf')
+    CONFIG_FILES+=({{{ chrony_conf_path }}})
 }
 
 # get list of ntp files
 
-for config_file in $CONFIG_FILES; do
+for config_file in "${CONFIG_FILES[@]}" ; do
     # Set maxpoll values to var_time_service_set_maxpoll
     sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
 done
 
-
-
-
-for config_file in $CONFIG_FILES; do
+for config_file in "${CONFIG_FILES[@]}" ; do
     # Add maxpoll to server, pool or peer entries without maxpoll
     grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
         sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml

@@ -2,26 +2,18 @@
   <definition class="compliance" id="chronyd_or_ntpd_set_maxpoll" version="1">
     {{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
       to continuously poll the time source servers.") }}}
-    <criteria operator="AND">
-      <criteria operator="OR">
-        <criterion comment="check if no server entry is set in /etc/ntp.conf"
-          test_ref="test_ntp_no_server"/>
-        <criteria operator="AND">
-          <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <criterion comment="check if maxpoll is set in /etc/ntp.conf"
           test_ref="test_ntp_set_maxpoll" />
-          <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+        <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
           test_ref="test_ntp_all_server_has_maxpoll"/>
-        </criteria>
       </criteria>
-      <criteria operator="OR">
-        <criterion comment="check if no server or pool entry is set in {{{ chrony_conf_path }}}"
-          test_ref="test_chrony_no_server_nor_pool"/>
-        <criteria operator="AND">
-          <criterion comment="check if maxpoll is set in {{{ chrony_conf_path }}}"
+      <criteria operator="AND">
+        <criterion comment="check if maxpoll is set in {{{ chrony_conf_path }}} or {{{ chrony_d_path }}}"
           test_ref="test_chrony_set_maxpoll" />
-          <criterion comment="check if all server entries have maxpoll set in {{{ chrony_conf_path }}}"
+        <criterion comment="check if all server entries have maxpoll set in {{{ chrony_conf_path }}} or {{{ chrony_d_path }}}"
           test_ref="test_chrony_all_server_has_maxpoll"/>
-        </criteria>
       </criteria>
     </criteria>
   </definition>
@@ -38,14 +30,16 @@
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% set filepath_regex = "^(" + chrony_conf_path | replace(".", "\.") + "|" + chrony_d_path | replace(".", "\.") + ".+\.conf)$" %}}
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="check if maxpoll is set in {{{ chrony_conf_path }}}"
+  comment="check if maxpoll is set in {{{ chrony_conf_path }}} or {{{ chrony_d_path }}}"
   id="test_chrony_set_maxpoll" version="1">
     <ind:object object_ref="obj_chrony_set_maxpoll" />
     <ind:state state_ref="state_time_service_set_maxpoll" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_chrony_set_maxpoll" version="1">
-    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:filepath operation="pattern match">{{{ filepath_regex }}}</ind:filepath>
     <ind:pattern operation="pattern match">^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
@@ -70,13 +64,13 @@
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="check if all server entries have maxpoll set in {{{ chrony_conf_path }}}"
+  comment="check if all server entries have maxpoll set in {{{ chrony_conf_path }}} or {{{ chrony_d_path }}}"
   id="test_chrony_all_server_has_maxpoll" version="1">
     <ind:object object_ref="obj_chrony_all_server_has_maxpoll" />
     <ind:state state_ref="state_server_has_maxpoll" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_chrony_all_server_has_maxpoll" version="1">
-    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:filepath operation="pattern match">{{{ filepath_regex }}}</ind:filepath>
     <ind:pattern operation="pattern match">^(?:server|pool|peer)[\s]+[\S]+[\s]+(.*)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
@@ -85,26 +79,4 @@
     <ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
   </ind:textfilecontent54_state>
 
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="check if no server entries have server or pool set in {{{ chrony_conf_path }}}"
-  id="test_chrony_no_server_nor_pool" version="1">
-    <ind:object object_ref="obj_chrony_no_server_nor_pool" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
-    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-    <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="check if no server entries in /etc/ntp.conf"
-  id="test_ntp_no_server" version="1">
-    <ind:object object_ref="obj_ntp_no_server_nor_pool" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
-    <ind:filepath>/etc/ntp.conf</ind:filepath>
-    <ind:pattern operation="pattern match">^server.*</ind:pattern>
-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
 </def-group>

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -6,14 +6,13 @@ title: 'Configure Time Service Maxpoll Interval'
 description: |-
     The <tt>maxpoll</tt> should be configured to
     {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
-    <tt>{{{ chrony_conf_path }}}</tt> to continuously poll time servers. To configure
-    <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>{{{ chrony_conf_path }}}</tt>
-    add the following after each `server`, `pool` or `peer` entry:
+    <tt>{{{ chrony_conf_path }}}</tt> (or <tt>{{{ chrony_d_path }}}</tt>) to continuously poll time servers. To configure
+    <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>{{{ chrony_conf_path }}}</tt> (or <tt>{{{ chrony_d_path }}}</tt>)
+    add the following after each <tt>server</tt>, <tt>pool</tt> or <tt>peer</tt> entry:
     <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
-    to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+    to <tt>server</tt> directives. If using chrony, any <tt>pool</tt> directives
     should be configured too.
-    If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
-    to pass.
+
     {{% if product == "rhcos4" %}}
     <p>
     Note that if the remediation shipping with this content is being used, the
@@ -104,7 +103,7 @@ ocil_clause: '"maxpoll" has not been set to the value of "{{{ xccdf_value("var_t
 
 ocil: |-
     Verify {{{ full_name }}} is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
-    <pre>$ sudo grep maxpoll /etc/ntp.conf {{{ chrony_conf_path }}}</pre>
+    <pre>$ sudo grep maxpoll /etc/ntp.conf {{{ chrony_conf_path }}} {{{ chrony_d_path }}}</pre>
     <pre>server [ntp.server.name] iburst maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>.
 
 fixtext: |-

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 
 {{{ bash_package_remove("ntp") }}}
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_pool_misconfigured.fail.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+# variables = var_time_service_set_maxpoll=16
+# platform = multi_platform_rhel
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" {{{ chrony_d_path }}}/20-pools.conf
+
+echo "pool pool.ntp.org iburst maxpoll 18" >> {{{ chrony_d_path }}}/20-pools.conf
+
+systemctl enable chronyd.service
+

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_server_misconfigured.fail.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# packages = chrony
+# variables = var_time_service_set_maxpoll=16
+# platform = multi_platform_rhel
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all pool options
+sed -i "/^pool.*/d" {{{ chrony_d_path }}}/10-servers.conf
+
+if ! grep "^server.*maxpoll 10" {{{ chrony_d_path }}}/10-servers.conf ; then
+    sed -i "s/^server.*/& maxpoll 10/" {{{ chrony_d_path }}}/10-servers.conf
+fi
+
+echo "server test.ntp.org" >> {{{ chrony_d_path }}}/10-servers.conf
+
+systemctl enable chronyd.service

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh → linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.fail.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# remediation = none
+# variables = var_time_service_set_maxpoll=16
 
 {{{ bash_package_remove("ntp") }}}
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_nothing_done.fail.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 # platform = Oracle Linux 7,Red Hat Enterprise Linux 7
 
 {{{ bash_package_remove("ntp") }}}

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 
 {{{ bash_package_remove("ntp") }}}
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 
 {{{ bash_package_remove("ntp") }}}
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 
 {{{ bash_package_remove("ntp") }}}
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = chrony
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 
 {{{ bash_package_remove("ntp") }}}
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp.pass.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = ntp
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 # platform = Oracle Linux 7,Red Hat Enterprise Linux 7
 
 {{{ bash_package_remove("chrony") }}}

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_multiple_misconfigured.fail.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = ntp
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 # platform = Oracle Linux 7,Red Hat Enterprise Linux 7
 
 {{{ bash_package_remove("chrony") }}}

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/ntp_wrong_maxpoll.fail.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # packages = ntp
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = var_time_service_set_maxpoll=16
 # platform = Oracle Linux 7,Red Hat Enterprise Linux 7
 
 {{{ bash_package_remove("chrony") }}}

products/debian10/product.yml

@@ -19,6 +19,7 @@ init_system: "systemd"
 
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 cpes_root: "../../shared/applicability"
 cpes:

products/ubuntu1604/product.yml

@@ -21,6 +21,7 @@ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xe
 
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"

products/ubuntu1804/product.yml

@@ -20,6 +20,7 @@ init_system: "systemd"
 
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"

products/ubuntu2004/product.yml

@@ -26,6 +26,7 @@ aide_conf_path: "/etc/aide/aide.conf"
 aide_default_path: "/etc/default/aide"
 audisp_conf_path: "/etc/audisp"
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 cpes_root: "../../shared/applicability"
 cpes:

products/ubuntu2204/product.yml

@@ -26,6 +26,7 @@ aide_conf_path: "/etc/aide/aide.conf"
 aide_default_path: "/etc/default/aide"
 audisp_conf_path: "/etc/audit"
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 cpes_root: "../../shared/applicability"
 cpes:

ssg/constants.py

@@ -486,6 +486,7 @@
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
+DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
 DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
 DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'