Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml

@@ -11,14 +11,14 @@
     path: /etc/ntp.conf
   register: ntp_conf_exist_result
 
-- name: "{{{ rule_title }}} - Update the Maxpoll Values in /etc/ntp.conf"
+- name: "{{{ rule_title }}} - Update the maxpoll Values in /etc/ntp.conf"
   ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: '^(server.*maxpoll)[ ]+[0-9]+(.*)$'
     replace: '\1 {{ var_time_service_set_maxpoll }}\2'
   when: ntp_conf_exist_result.stat.exists
 
-- name: "{{{ rule_title }}} - Set the Maxpoll Values in /etc/ntp.conf"
+- name: "{{{ rule_title }}} - Set the maxpoll Values in /etc/ntp.conf"
   ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: '(^server\s+((?!maxpoll).)*)$'
@@ -34,29 +34,39 @@
     path: {{{ chrony_conf_path }}}
   register: chrony_conf_exist_result
 
-- name: "{{{ rule_title }}} - Set Chrony Path Facts"
-  ansible.builtin.set_fact:
-    chrony_path: {{{ chrony_conf_path }}}
+- name: "{{{ rule_title }}} - Update the maxpoll Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{{ chrony_conf_path }}}"
+    regexp: '^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$'
+    replace: '\1 {{ var_time_service_set_maxpoll }}\2'
+  when: chrony_conf_exist_result.stat.exists
+
+- name: "{{{ rule_title }}} - Set the maxpoll Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{{ chrony_conf_path }}}"
+    regexp: '(^(?:server|pool|peer)\s+((?!maxpoll).)*)$'
+    replace: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
+  when: chrony_conf_exist_result.stat.exists
 
-- name: "{{{ rule_title }}} - Get Conf Files from {{ chrony_path | dirname }}"
+- name: "{{{ rule_title }}} - Get Conf Files from {{{ chrony_d_path }}}"
   ansible.builtin.find:
-    path: "{{ chrony_path | dirname }}"
+    path: "{{{ chrony_d_path }}}"
     patterns: '*.conf'
     file_type: file
-  register: chrony_conf_files
+  register: chrony_d_conf_files
 
-- name: "{{{ rule_title }}} - Update the Maxpoll Values in {{{ chrony_conf_path }}}"
+- name: "{{{ rule_title }}} - Update the maxpoll Values in {{{ chrony_d_path }}}"
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$'
     replace: '\1 {{ var_time_service_set_maxpoll }}\2'
-  loop: '{{ chrony_conf_files.files }}'
-  when: chrony_conf_files.matched
+  loop: '{{ chrony_d_conf_files.files }}'
+  when: chrony_d_conf_files.matched
 
-- name: "{{{ rule_title }}} - Set the Maxpoll Values in {{{ chrony_conf_path }}}"
+- name: "{{{ rule_title }}} - Set the maxpoll Values in {{{ chrony_d_path }}}"
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '(^(?:server|pool|peer)\s+((?!maxpoll).)*)$'
     replace: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
-  loop: '{{ chrony_conf_files.files }}'
-  when: chrony_conf_files.matched
+  loop: '{{ chrony_d_conf_files.files }}'
+  when: chrony_d_conf_files.matched

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -8,9 +8,9 @@ description: |-
     {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
     <tt>{{{ chrony_conf_path }}}</tt> to continuously poll time servers. To configure
     <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>{{{ chrony_conf_path }}}</tt>
-    add the following after each `server`, `pool` or `peer` entry:
+    add the following after each <tt>server</tt>, <tt>pool</tt> or <tt>peer</tt> entry:
     <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
-    to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+    to <tt>server</tt> directives. If using chrony, any <tt>pool</tt> directives
     should be configured too.
     If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
     to pass.

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_pool_misconfigured.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" {{{ chrony_d_path }}}/20-pools.conf
+
+echo "pool pool.ntp.org iburst maxpoll 18" >> {{{ chrony_d_path }}}/20-pools.conf
+
+systemctl enable chronyd.service
+

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_server_misconfigured.fail.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# packages = chrony
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all pool options
+sed -i "/^pool.*/d" {{{ chrony_d_path }}}/10-servers.conf
+
+if ! grep "^server.*maxpoll 10" {{{ chrony_d_path }}}/10-servers.conf ; then
+    sed -i "s/^server.*/& maxpoll 10/" {{{ chrony_d_path }}}/10-servers.conf
+fi
+
+echo "server test.ntp.org" >> {{{ chrony_d_path }}}/10-servers.conf
+
+systemctl enable chronyd.service

products/debian10/product.yml

@@ -19,6 +19,7 @@ init_system: "systemd"
 
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 cpes_root: "../../shared/applicability"
 cpes:

products/ubuntu1604/product.yml

@@ -21,6 +21,7 @@ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xe
 
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"

products/ubuntu1804/product.yml

@@ -20,6 +20,7 @@ init_system: "systemd"
 
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"

products/ubuntu2004/product.yml

@@ -26,6 +26,7 @@ aide_conf_path: "/etc/aide/aide.conf"
 aide_default_path: "/etc/default/aide"
 audisp_conf_path: "/etc/audisp"
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 cpes_root: "../../shared/applicability"
 cpes:

products/ubuntu2204/product.yml

@@ -25,6 +25,7 @@ aide_bin_path: "/usr/bin/aide"
 aide_conf_path: "/etc/aide/aide.conf"
 audisp_conf_path: "/etc/audit"
 chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/conf.d/"
 
 cpes_root: "../../shared/applicability"
 cpes:

ssg/constants.py

@@ -486,6 +486,7 @@
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
+DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
 DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
 DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'
 

ssg/products.py

@@ -12,6 +12,7 @@
                         DEFAULT_AIDE_BIN_PATH,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
                         DEFAULT_CHRONY_CONF_PATH,
+                        DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
                         DEFAULT_FAILLOCK_PATH,
                         DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE,
@@ -66,6 +67,9 @@ def _get_implied_properties(existing_properties):
     if "chrony_conf_path" not in existing_properties:
         result["chrony_conf_path"] = DEFAULT_CHRONY_CONF_PATH
 
+    if "chrony_d_path" not in existing_properties:
+        result["chrony_d_path"] = DEFAULT_CHRONY_D_PATH
+
     if "audisp_conf_path" not in existing_properties:
         result["audisp_conf_path"] = DEFAULT_AUDISP_CONF_PATH
 

tests/data/product_stability/alinux2.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: ALINUX-2
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - alinux2:
     check_id: installed_OS_is_alinux2

tests/data/product_stability/alinux3.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: ALINUX-3
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - alinux3:
     check_id: installed_OS_is_alinux3

tests/data/product_stability/anolis23.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: ANOLIS-23
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - anolis23:
     check_id: installed_OS_is_anolis23

tests/data/product_stability/anolis8.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: ANOLIS-8
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - anolis8:
     check_id: installed_OS_is_anolis8

tests/data/product_stability/chromium.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: CHROMIUM
 benchmark_root: ./guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - chromium:
     check_id: installed_app_is_chromium

tests/data/product_stability/debian10.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: DEBIAN-10
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony/chrony.conf
+chrony_d_path: /etc/chrony/conf.d/
 cpes:
 - debian10:
     check_id: installed_OS_is_debian10

tests/data/product_stability/debian11.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: DEBIAN-11
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - debian11:
     check_id: installed_OS_is_debian11

tests/data/product_stability/debian12.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: DEBIAN-12
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - debian12:
     check_id: installed_OS_is_debian12

tests/data/product_stability/eks.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: EKS
 benchmark_root: ../../applications
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - eks:
     check_id: installed_app_is_eks

tests/data/product_stability/example.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: EXAMPLE
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 components_root: ../../components
 cpes:
 - example:

tests/data/product_stability/fedora.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: FEDORA
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 components_root: ../../components
 cpes:
 - fedora_40:

tests/data/product_stability/firefox.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: FIREFOX
 benchmark_root: ./guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - firefox:
     check_id: installed_app_is_firefox

tests/data/product_stability/macos1015.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: macOS-1015
 benchmark_root: ../../apple_os/
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - macos15:
     check_id: installed_OS_is_macos1015

tests/data/product_stability/ocp4.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: OCP-4
 benchmark_root: ../../applications
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - ocp4:
     check_id: installed_app_is_ocp4

tests/data/product_stability/ol7.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: OL-7
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - ol7:
     check_id: installed_OS_is_ol7

tests/data/product_stability/ol8.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: OL-8
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - ol8:
     check_id: installed_OS_is_ol8

tests/data/product_stability/ol9.yml

@@ -11,6 +11,7 @@ basic_properties_derived: true
 benchmark_id: OL-9
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - ol9:
     check_id: installed_OS_is_ol9

tests/data/product_stability/openembedded.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: OPENEMBEDDED
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - openembedded:
     check_id: installed_OS_is_openembedded

tests/data/product_stability/opensuse.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: OPENSUSE
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - opensuse-42.1:
     check_id: installed_OS_is_opensuse_leap42

tests/data/product_stability/rhcos4.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: RHCOS-4
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - rhcos4:
     check_id: installed_OS_is_rhcos4

tests/data/product_stability/rhel7.yml

@@ -14,6 +14,7 @@ centos_major_version: '7'
 centos_pkg_release: 53a7ff4b
 centos_pkg_version: f4a80eb5
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 components_root: ../../components
 cpes:
 - rhel7:

tests/data/product_stability/rhel8.yml

@@ -14,6 +14,7 @@ centos_major_version: '8'
 centos_pkg_release: 5ccc5b19
 centos_pkg_version: 8483c65d
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 components_root: ../../components
 cpes:
 - rhel8:

tests/data/product_stability/rhel9.yml

@@ -14,6 +14,7 @@ centos_major_version: '9'
 centos_pkg_release: 5ccc5b19
 centos_pkg_version: 8483c65d
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 components_root: ../../components
 cpes:
 - rhel9:

tests/data/product_stability/rhv4.yml

@@ -11,6 +11,7 @@ basic_properties_derived: true
 benchmark_id: RHV-4
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - rhel8-host:
     check_id: installed_OS_is_rhv4

tests/data/product_stability/sle12.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: SLE-12
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - sle12-server:
     check_id: installed_OS_is_sle12

tests/data/product_stability/sle15.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: SLE-15
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+chrony_d_path: /etc/chrony.d/
 cpes:
 - sle15-server:
     check_id: installed_OS_is_sle15

tests/data/product_stability/ubuntu1604.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: UBUNTU-XENIAL
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony/chrony.conf
+chrony_d_path: /etc/chrony/conf.d/
 cpes:
 - ubuntu1604:
     check_id: installed_OS_is_ubuntu1604

tests/data/product_stability/ubuntu1804.yml

@@ -8,6 +8,7 @@ basic_properties_derived: true
 benchmark_id: UBUNTU-BIONIC
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony/chrony.conf
+chrony_d_path: /etc/chrony/conf.d/
 cpes:
 - ubuntu1804:
     check_id: installed_OS_is_ubuntu1804