-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chronyd_or_ntpd_set_maxpoll is not remediated by Ansible #11934
Comments
What I find really disturbing is that the Ansible Tasks in the attached attachment manipulate with many unrelated files such as /etc/sestatus.conf or /etc/krb5.conf. This is caused by the tasks that work with chrony_conf_path variable. They get the name of the parent directory and look for all .conf files there. This probably works nicely for Ubuntu products, where chrony_conf_path is set to /etc/chrony/chrony.conf, but creates harm in all other products where chrony_conf_path is set to /etc/chrony.conf, so the dirname is /etc and the search matches all *.conf files in /etc. |
Most likely caused by chronyd_specify_remote_server remediation which runs later than remediation for this rule and inserts a new entry without the maxpoll. |
This change will put chronyd_specify_remote_server before other rules in the ntp group. Fixes: ComplianceAsCode#11934
This change will put chronyd_specify_remote_server before other rules in the ntp group. Fixes: ComplianceAsCode#11934
This change will put chronyd_specify_remote_server before other rules in the ntp group. Fixes: ComplianceAsCode#11934
Description of problem:
When remediating the stig profile with Ansible, the rule chronyd_or_ntpd_set_maxpoll does not get remediated.
The relevant part of the Ansible playbook execution is attached.
ansible.log
SCAP Security Guide Version:
stabilization-v0.1.73 branch, commit 0b096bc
Operating System Version:
RHEL 8 and 9
Steps to Reproduce:
1.remediate stig profile with its Ansible playbook
2. perform oscap scan for this profile
Actual Results:
The rule is reported as failed.
Expected Results:
The rule is reported as passing.
Additional Information/Debugging Steps:
I have a hunch that it might be caused by rule ordering? That the server directive with maxpoll is overridden by another rule which configures hardcoded NTP server for STIG.
This error shows up often but not always.
The text was updated successfully, but these errors were encountered: