timesync icon indicating copy to clipboard operation
timesync copied to clipboard
verified publisher icon linux-system-roles

feat: Implements CIS Benchmark - 2.1.2 Ensure chrony is configured

Open brakkio86 opened this issue 1 year ago • 17 comments

Enhancement: I changed the template for chrony sysconfig in order to implement CIS Benchmark recomendation for RHEL.

Reason: Be compatible with CIS Benchmark "2.1.2 Ensure chrony is configured" on a RHEL.

Result: CIS Benchmark compatible.

Issue Tracker Tickets (Jira or BZ if any): N.A.

brakkio86 avatar Mar 29 '24 08:03 brakkio86

[citest]

spetrosi avatar Apr 02 '24 09:04 spetrosi

-u chrony is the default on RHEL. It doesn't need to be set. Other distributions may have different names for the user.

mlichvar avatar Apr 02 '24 09:04 mlichvar

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

brakkio86 avatar Apr 03 '24 06:04 brakkio86

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

I'm not sure what you are trying to do. Are you running some sort of CIS compliance scanner that is complaining that chronyd is not using -u chrony? If so, then it seems to be that the right answer isn't to force -u chrony using this role.

richm avatar Apr 03 '24 15:04 richm

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

I'm not sure what you are trying to do. Are you running some sort of CIS compliance scanner that is complaining that chronyd is not using -u chrony? If so, then it seems to be that the right answer isn't to force -u chrony using this role.

Yes, I'm appling CIS compliant configuration. On the other hand, this role broke the configuation as it removes -u chrony settings. What do you suggest?

brakkio86 avatar Apr 04 '24 07:04 brakkio86

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

I'm not sure what you are trying to do. Are you running some sort of CIS compliance scanner that is complaining that chronyd is not using -u chrony? If so, then it seems to be that the right answer isn't to force -u chrony using this role.

Yes, I'm appling CIS compliant configuration. On the other hand, this role broke the configuation as it removes -u chrony settings. What do you suggest?

Well, as @mlichvar says, the default on RHEL is -u chrony. So for CIS compliance, do you just need a way to determine what that default value is?

richm avatar Apr 04 '24 13:04 richm

Well, as @mlichvar says, the default on RHEL is -u chrony. So for CIS compliance, do you just need a way to determine what that default value is?

Unfotunally no, CIS Security mandatory requires explicit user in /etc/sysconfig/chronyd. Maybe is it possbible to parametrize OPTIONS section in /etc/sysconfig/chronyd.

brakkio86 avatar Apr 09 '24 08:04 brakkio86

If a new option needs to be added to the role for this, I'd prefer a more general approach specifying directly the additional chronyd options included in /etc/sysconfig/chronyd, e.g. timesync_chronyd_custom_options.

mlichvar avatar Apr 10 '24 12:04 mlichvar

If a new option needs to be added to the role for this, I'd prefer a more general approach specifying directly the additional chronyd options included in /etc/sysconfig/chronyd, e.g. timesync_chronyd_custom_options.

The role already has timesync_chrony_custom_settings - so maybe timesync_chrony_sysconfig_settings for settings applied to /etc/sysconfig/chrony?

richm avatar Apr 10 '24 13:04 richm

Some systems don't have sysconfig, e.g. on Debian the options are in /etc/default/chrony, so the I think the name should be general enough to work on all potentially supported distros.

mlichvar avatar Apr 10 '24 13:04 mlichvar

Some systems don't have sysconfig, e.g. on Debian the options are in /etc/default/chrony, so the I think the name should be general enough to work on all potentially supported distros.

Ok - what about timesync_chrony_service_settings?

richm avatar Apr 10 '24 13:04 richm

That's better. I'm not sure if it's clear enough that it's the command-line options. I suspect someone could confuse it with the systemd service settings.

mlichvar avatar Apr 11 '24 08:04 mlichvar

Hello, I've updated with the suggestion and using timesync_chrony_service_settings. What do you think now?

brakkio86 avatar Apr 12 '24 09:04 brakkio86

[citest]

richm avatar Jun 10 '24 15:06 richm

How can we test this? e.g. add or modify a test in https://github.com/linux-system-roles/timesync/tree/main/tests ?

richm avatar Jun 10 '24 15:06 richm

I had to close and reopen the PR to trigger checks - not sure why the checks were not being run . . .

richm avatar Jun 10 '24 15:06 richm

Need a test for this in tests/

richm avatar Aug 01 '24 22:08 richm