-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update chrony rules for RHEL 10 #12415
Update chrony rules for RHEL 10 #12415
Conversation
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_server_directive'.
--- xccdf_org.ssgproject.content_rule_chronyd_server_directive
+++ xccdf_org.ssgproject.content_rule_chronyd_server_directive
@@ -28,6 +28,7 @@
[rationale]:
Depending on the infrastructure being used the pool directive may not be supported.
+Using the server directive allows for better control of where the system gets time data from.
[ident]:
CCE-86077-5
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
@@ -3,16 +3,16 @@
Verify Group Who Owns /etc/chrony.keys File
[description]:
-To properly set the group owner of /etc/chrony.keys, run the command: $ sudo chgrp root /etc/chrony.keys
+To properly set the group owner of /etc/chrony.keys, run the command: $ sudo chgrp chrony /etc/chrony.keys
[reference]:
R50
[rationale]:
-The ownership of the /etc/chrony.keys file by the root group is important
+The ownership of the /etc/chrony.keys file by the chrony group is important
because this file hosts chrony cryptographic keys. Protection
of this file is critical for system security. Assigning the ownership to
-root ensures exclusive control of the chrony cryptography keys.
+chrony ensures exclusive control of the chrony cryptography keys.
[ident]:
CCE-86373-8
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- ocil:ssg-file_groupowner_etc_chrony_keys_ocil:questionnaire:1
+++ ocil:ssg-file_groupowner_etc_chrony_keys_ocil:questionnaire:1
@@ -2,6 +2,6 @@
run the command:
$ ls -lL /etc/chrony.keys
If properly configured, the output should indicate the following group-owner:
-root
- Is it the case that /etc/chrony.keys does not have a group owner of root?
+chrony
+ Is it the case that /etc/chrony.keys does not have a group owner of chrony?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chgrp -L root /etc/chrony.keys
+chgrp -L chrony /etc/chrony.keys
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
@@ -12,10 +12,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner root on /etc/chrony.keys
+- name: Ensure group owner chrony on /etc/chrony.keys
file:
path: /etc/chrony.keys
- group: root
+ group: chrony
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_chrony_keys'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_chrony_keys
@@ -9,10 +9,10 @@
R50
[rationale]:
-The ownership of the /etc/chrony.keys file by the root user is important
+The ownership of the /etc/chrony.keys file by the chrony user is important
because this file hosts chrony cryptographic keys. Protection
of this file is critical for system security. Assigning the ownership to
-root ensures exclusive control of the chrony cryptographic keys.
+chrony ensures exclusive control of the chrony cryptographic keys.
[ident]:
CCE-86379-5 |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
2562872
to
3aa9f8f
Compare
3aa9f8f
to
b8d237d
Compare
Code Climate has analyzed commit b8d237d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.5% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
jcerny@fedora:~/work/git/scap-security-guide (pr/12415)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 chrony_set_nts chronyd_server_directive
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-30-1157/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_server_directive
INFO - Script file_empty.fail.sh using profile (all) OK
INFO - Script file_missing.fail.sh using profile (all) OK
INFO - Script line_missing.fail.sh using profile (all) OK
INFO - Script multiple_servers.pass.sh using profile (all) OK
INFO - Script only_pool.fail.sh using profile (all) OK
INFO - Script only_server.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_chrony_set_nts
INFO - Script chrony_d_one_pool_missing.fail.sh using profile (all) OK
INFO - Script chrony_d_one_server_missing.fail.sh using profile (all) OK
INFO - Script chrony_no_pool_nor_servers.fail.sh using profile (all) OK
INFO - Script chrony_one_pool_configured.pass.sh using profile (all) OK
INFO - Script chrony_one_pool_missing.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12415)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible chrony_set_nts chronyd_server_directive
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-30-1308/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_server_directive
INFO - Script file_empty.fail.sh using profile (all) OK
INFO - Script file_missing.fail.sh using profile (all) OK
INFO - Script line_missing.fail.sh using profile (all) OK
INFO - Script multiple_servers.pass.sh using profile (all) OK
INFO - Script only_pool.fail.sh using profile (all) OK
INFO - Script only_server.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_chrony_set_nts
INFO - Script chrony_d_one_pool_missing.fail.sh using profile (all) OK
INFO - Script chrony_d_one_server_missing.fail.sh using profile (all) OK
INFO - Script chrony_no_pool_nor_servers.fail.sh using profile (all) OK
INFO - Script chrony_one_pool_configured.pass.sh using profile (all) OK
INFO - Script chrony_one_pool_missing.fail.sh using profile (all) OK
Description:
Rationale:
Updates for RHEL 10.