Merge pull request #10353 from rumch-se/rule_ensure_chrony_is_configured

New rule ensure_chrony_is_configured
ComplianceAsCode · May 23, 2023 · 91ba1a5 · 91ba1a5
2 parents 5eec6d5 + 5be9450
commit 91ba1a5
Show file tree

Hide file tree

Showing 32 changed files with 290 additions and 9 deletions.
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1309,6 +1309,7 @@ controls:
     # Based on DAT-NT-012 R3
     - package_chrony_installed
     - chronyd_specify_remote_server
+    - chronyd_configure_pool_and_server
 
     # Derived from DAT-NT-012 R4
     - partition_for_var_log_audit

diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
@@ -571,8 +571,10 @@ controls:
     - l1_workstation
     status: automated
     rules:
-    - chronyd_specify_remote_server
     - chronyd_run_as_chrony_user
+    - chronyd_configure_pool_and_server
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse
 
   - id: 2.2.1.4
     title: Ensure ntp is configured (Automated)

diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
@@ -569,8 +569,10 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - chronyd_specify_remote_server
       - chronyd_run_as_chrony_user
+      - chronyd_configure_pool_and_server
+      - var_multiple_time_servers=suse
+      - var_multiple_time_pools=suse      
 
   - id: 2.2.2
     title: Ensure X11 Server components are not installed (Automated)

diff --git a/controls/pcidss_3.yml b/controls/pcidss_3.yml
@@ -2020,10 +2020,12 @@ controls:
     status: automated
     rules:
       - var_multiple_time_servers=suse
+      - var_multiple_time_pools=suse
       - ntpd_specify_remote_server
       - ntpd_specify_multiple_servers
       - chronyd_specify_remote_server
       - chronyd_or_ntpd_specify_multiple_servers
+      - chronyd_configure_pool_and_server
 
 - id: Req-10.5
   title: 10.5 Secure audit trails so they cannot be altered.

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2328,6 +2328,7 @@ controls:
       - service_ntp_enabled
       - service_ntpd_enabled
       - service_timesyncd_enabled
+      - chronyd_configure_pool_and_server      
 
     - id: 10.6.2
       title: 'Systems are configured to the correct and consistent time'

diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
@@ -0,0 +1,27 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_multiple_time_servers") }}}
+{{{ ansible_instantiate_variables("var_multiple_time_pools") }}}
+
+- name: {{{ rule_title }}} - Add missing / update wrong records for remote time servers
+  ansible.builtin.lineinfile:
+    path: {{{ chrony_conf_path }}}
+    regexp: '^\s*\bserver\b\s*\b{{ item }}\b$'
+    state: present
+    line: 'server {{ item }}'
+    create: true
+  with_items: 
+    - '{{ var_multiple_time_servers.split(",") }}'
+
+- name: {{{ rule_title }}} - Add missing / update wrong records for remote time pools
+  ansible.builtin.lineinfile:
+    path: {{{ chrony_conf_path }}}
+    regexp: '^\s*\bpool\b\s*\b{{ item }}\b$'
+    state: present
+    line: 'pool {{ item }}'
+    create: true
+  with_items: 
+    - '{{ var_multiple_time_pools.split(",") }}'
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh
@@ -0,0 +1,30 @@
+# platform = multi_platform_all
+
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
+{{{ bash_instantiate_variables("var_multiple_time_pools") }}}
+
+config_file="{{{ chrony_conf_path }}}"
+
+# Check and configigure servers in {{{ chrony_conf_path }}}
+IFS="," read -a SERVERS <<< $var_multiple_time_servers
+for srv in "${SERVERS[@]}"
+do
+   NTP_SRV=$(grep -w $srv $config_file)
+   if [[ ! "$NTP_SRV" == "server "* ]]
+   then
+     time_server="server $srv"
+     echo $time_server >> "$config_file"
+   fi
+done
+
+# Check and configure pools in {{{ chrony_conf_path }}}
+IFS="," read -a POOLS <<< $var_multiple_time_pools
+for srv in "${POOLS[@]}"
+do
+   NTP_POOL=$(grep -w $srv $config_file)
+   if [[ ! "$NTP_POOL" == "pool "* ]]
+   then
+     time_server="pool $srv"
+     echo $time_server >> "$config_file"
+   fi
+done
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
@@ -0,0 +1,58 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("A remote NTP Server for time synchronization should be specified (and dependencies are met)") }}}
+    <criteria comment="chrony.conf conditions are met" operator="OR">
+      <criterion test_ref="test_chrony_remote_server_configuration" />
+      <criterion test_ref="test_chrony_remote_pool_configuration" />
+    </criteria>
+  </definition>
+
+  <external_variable comment="remote vendor-approved time servers" datatype="string"
+   id="var_multiple_time_servers" version="1" />  
+
+  <local_variable id="temp_variable_test_servers" datatype="string" version="1" comment="a local variable which includes all vendor-approved time servers">
+      <concat>
+          <literal_component>^(?:server)[[:space:]]</literal_component>
+          <split delimiter=",">
+              <variable_component var_ref="var_multiple_time_servers" />
+          </split>
+          <literal_component>$</literal_component>
+      </concat>
+  </local_variable>
+
+  <external_variable comment="remote vendor-approved pool servers" datatype="string"
+   id="var_multiple_time_pools" version="1" />  
+
+  <local_variable id="temp_variable_test_pools" datatype="string" version="1" comment="a local variable which includes all vendor-approved pool servers">
+      <concat>
+          <literal_component>^(?:pool)[[:space:]]</literal_component>
+          <split delimiter=",">
+              <variable_component var_ref="var_multiple_time_pools" />
+          </split>
+          <literal_component>$</literal_component>
+      </concat>
+  </local_variable>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+  comment="Ensure remote NTP server is set" id="test_chrony_remote_server_configuration" version="1">
+    <ind:object object_ref="object_chrony_remote_server_configuration" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="Ensure at least one NTP server is set" id="object_chrony_remote_server_configuration" version="1">
+    <ind:filepath>{{{ chrony_conf_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="temp_variable_test_servers"/>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+  comment="Ensure remote NTP pool is set" id="test_chrony_remote_pool_configuration" version="1">
+    <ind:object object_ref="object_chrony_remote_pool_configuration" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="Ensure at least one NTP pool is set" id="object_chrony_remote_pool_configuration" version="1">
+    <ind:filepath>{{{ chrony_conf_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="temp_variable_test_pools"/>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+prodtype: sle12,sle15
+
+title: 'Chrony Configure Pool and Server'
+
+description: |-
+    <tt>Chrony</tt> is a daemon which implements the Network Time Protocol (NTP). It is designed to
+    synchronize system clocks across a variety of systems and use a source that is highly
+    accurate. More information on <tt>chrony</tt> can be found at
+    {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
+    <tt>Chrony</tt> can be configured to be a client and/or a server.
+    Add or edit server or pool lines to <tt>{{{ chrony_conf_path }}}</tt> as appropriate:
+    <pre>server &lt;remote-server&gt;</pre>
+    Multiple servers may be configured.
+
+rationale: |-
+    If <tt>chrony</tt> is in use on the system proper configuration is vital to ensuring time
+    synchronization is working properly.
+
+severity: medium
+
+platform: package[chrony]
+
+identifiers:
+    cce@sle12: CCE-92394-6 
+    cce@sle15: CCE-92526-3 
+
+references:
+    anssi: BP28(R43)
+    cis@sle12: 2.2.1.3
+    cis@sle15: 2.2.1.3
+    disa:  CCI-000160,CCI-001891
+    ism: 0988,1405
+    nist: CM-6(a),AU-8(1)(a)
+    pcidss: Req-10.4.3
+
+ocil_clause: 'a remote time server is not configured'
+
+ocil: |-
+    Run the following command and verify remote servers are configured properly:
+    <pre># grep -E "^(server|pool)" {{{ chrony_conf_path }}}</pre>
diff --git a/...services/ntp/chronyd_configure_pool_and_server/tests/correct_chrony_configuration.pass.sh b/...services/ntp/chronyd_configure_pool_and_server/tests/correct_chrony_configuration.pass.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# packages = chrony
+
+
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
+{{{ bash_instantiate_variables("var_multiple_time_pools") }}}
+
+config_file="{{{ chrony_conf_path }}}"
+
+IFS="," read -a SERVERS <<< $var_multiple_time_servers
+for srv in "${SERVERS[@]}"
+do
+   NTP_SRV=$(grep -w $srv $config_file)
+   if [[ ! "$NTP_SRV" == "server "* ]]
+   then
+     time_server="server $srv"
+     echo $time_server >> "$config_file"
+   fi
+done
+
+# Check and configure pools in /etc/chorny.conf
+IFS="," read -a POOLS <<< $var_multiple_time_pools
+for srv in "${POOLS[@]}"
+do
+   NTP_POOL=$(grep -w $srv $config_file)
+   if [[ ! "$NTP_POOL" == "pool "* ]]
+   then
+     time_server="pool $srv"
+     echo $time_server >> "$config_file"
+   fi
+done
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/file_empty.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = chrony
+
+
+echo "" > {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/file_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = chrony
+
+
+rm -f {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line1.fail.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line1.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+
+
+echo "" > {{{ chrony_conf_path }}}
+echo "server0.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo "pool1.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line2.fail.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line2.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+
+
+echo "" > {{{ chrony_conf_path }}}
+echo "server   0.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo "pool   1.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line3.fail.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line3.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+
+
+echo "" > {{{ chrony_conf_path }}}
+echo " server   0.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo " pool   1.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line4.fail.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/incorrect_line4.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+
+
+echo "" > {{{ chrony_conf_path }}}
+echo " server 0.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo " pool 1.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/multiple_servers.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = chrony
+
+
+echo "" > {{{ chrony_conf_path }}}
+echo "server 0.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo "server 1.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo "pool 2.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
+echo "pool 3.suse.pool.ntp.org" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/var_multiple_time_pools.var b/linux_os/guide/services/ntp/var_multiple_time_pools.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Vendor Approved Time pools'
+
+description: 'The list of vendor-approved pool servers'
+
+type: string
+
+interactive: true
+
+options:
+    default: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
+    fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org"
+    rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org"
+    ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
+    suse: "0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org"
+    alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com"
diff --git a/products/sle12/profiles/anssi_bp28_enhanced.profile b/products/sle12/profiles/anssi_bp28_enhanced.profile
@@ -23,4 +23,5 @@ description: |-
 
 selections:
     - anssi:all:enhanced
-
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse
diff --git a/products/sle12/profiles/anssi_bp28_high.profile b/products/sle12/profiles/anssi_bp28_high.profile
@@ -23,3 +23,5 @@ description: |-
 
 selections:
     - anssi:all:high
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse
diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile
@@ -22,4 +22,6 @@ description: |-
     Manual review is required to assess if the installed services are minimal.
 
 selections:
-    - anssi:all:intermediary
+  - anssi:all:intermediary
+  - var_multiple_time_servers=suse
+  - var_multiple_time_pools=suse  
diff --git a/products/sle12/profiles/anssi_bp28_minimal.profile b/products/sle12/profiles/anssi_bp28_minimal.profile
@@ -22,4 +22,6 @@ description: |-
     Manual review is required to assess if the installed services are minimal.
 
 selections:
-    - anssi:all:minimal
+  - anssi:all:minimal
+  - var_multiple_time_servers=suse
+  - var_multiple_time_pools=suse
diff --git a/products/sle12/profiles/pci-dss-4.profile b/products/sle12/profiles/pci-dss-4.profile
@@ -13,6 +13,8 @@ description: |-
 
 selections:
     -  pcidss_3:all:base
+    -  var_multiple_time_servers=suse
+    -  var_multiple_time_pools=suse      
     -  account_unique_id
     -  coredump_disable_backtraces
     -  coredump_disable_storage

diff --git a/products/sle12/profiles/pci-dss.profile b/products/sle12/profiles/pci-dss.profile
@@ -15,3 +15,5 @@ selections:
     - pcidss_3:all:base
     - sshd_approved_macs=cis_sle12
     - sshd_approved_ciphers=cis_sle12
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse 
diff --git a/products/sle15/profiles/anssi_bp28_enhanced.profile b/products/sle15/profiles/anssi_bp28_enhanced.profile
@@ -23,3 +23,5 @@ description: |-
 
 selections:
     - anssi:all:enhanced
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse    
diff --git a/products/sle15/profiles/anssi_bp28_high.profile b/products/sle15/profiles/anssi_bp28_high.profile
@@ -23,3 +23,5 @@ description: |-
 
 selections:
     - anssi:all:high
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse    
diff --git a/products/sle15/profiles/anssi_bp28_intermediary.profile b/products/sle15/profiles/anssi_bp28_intermediary.profile
@@ -22,4 +22,6 @@ description: |-
     Manual review is required to assess if the installed services are minimal.
 
 selections:
-    - anssi:all:intermediary
+  - anssi:all:intermediary
+  - var_multiple_time_servers=suse
+  - var_multiple_time_pools=suse  
diff --git a/products/sle15/profiles/anssi_bp28_minimal.profile b/products/sle15/profiles/anssi_bp28_minimal.profile
@@ -22,4 +22,6 @@ description: |-
     Manual review is required to assess if the installed services are minimal.
 
 selections:
-    - anssi:all:minimal
+  - anssi:all:minimal
+  - var_multiple_time_servers=suse
+  - var_multiple_time_pools=suse  
diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
@@ -16,6 +16,8 @@ selections:
     -  sshd_strong_kex=default
     -  sshd_approved_macs=cis_sle15
     -  sshd_approved_ciphers=cis_sle15 
+    -  var_multiple_time_servers=suse
+    -  var_multiple_time_pools=suse      
     -  '!service_ntp_enabled'
     -  '!service_ntpd_enabled'
     -  '!service_timesyncd_enabled'