content
content copied to clipboard
ComplianceAsCode
chrony.conf moved content_rule_chronyd_specify_remote_server now broken
Description of problem:
It seames like chrony.conf has moved from /etc/chrony.conf to /etc/chrony/chrony.conf.
This means xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server will consistently fail as it only checks in /etc/chrony.conf. Other rules might also be affected!
SCAP Security Guide Version:
master
ssg-debian12-ds.xml (enhanced)
Document type: Source Data Stream
Imported: 2023-12-31T02:37:13
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-debian12-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-debian12-xccdf.xml
Status: draft
Generated: 2023-12-23
Resolved: true
Profiles:
Title: ANSSI-BP-028 (enhanced)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
Title: ANSSI-BP-028 (high)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
Title: ANSSI-BP-028 (intermediary)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
Title: ANSSI-BP-028 (minimal)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
Title: Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
Title: Profile for ANSSI DAT-NT28 High (Enforced) Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
Title: Profile for ANSSI DAT-NT28 Minimal Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
Title: Profile for ANSSI DAT-NT28 Restrictive Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
Title: Standard System Security Profile for Debian 12
Id: xccdf_org.ssgproject.content_profile_standard
Referenced check files:
ssg-debian12-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-debian12-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-debian12-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-debian12-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-debian12-cpe-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-debian12-cpe-dictionary.xml
Operating System Version:
Debain 12
Linux *** 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64 GNU/Linux
The ansible playbook of content_rule_chronyd_specify_remote_server will set
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
as servers in `chrony.conf if none are defined, but shouldn't they be defined as a pool ? Is there any reason for them to not have the iburst option by default ?
This will probably add unnecessary complexity:
For linux distros like debian,fedora, etc. there are pools from them x.debian.pool.ntp.org,x.fedora.pool.ntp.org, etc. shouldn't they be used as default for thair distro ? There are region specific pools, shouldn't they be set as default ? ~~There are more NTP servers than ntp.org ones like x.time.google.com,time.cloudflare.com, etc. why aren't they used as default ? ~ probably because ntp.org is decentralized.~~
There should not be a difference between
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
and
pool.ntp.org
so why do not just use pool.ntp.org ?
Thanks for reporting this issue.
At least for RHEL 9 it is still in /etc/chrony.conf so that complicates things.
It looks like other distros can use their distro's pool see linux_os/guide/services/ntp/var_multiple_time_servers.var.
It looks like chronyd_specify_remote_server is recommending multiple servers. However I have spot checked a RHEL and Ubuntu Benchmark only says may use more than one server. So moving to pool could be okay.
