Update chrony rules for RHEL 10

[Mab879]

Description:

• Update rationale for chronyd_server_directive
• Move /etc/chrony.keys to be owned by root:chrony
• Add new rule for NTS

Rationale:

Updates for RHEL 10.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_server_directive'.
--- xccdf_org.ssgproject.content_rule_chronyd_server_directive
+++ xccdf_org.ssgproject.content_rule_chronyd_server_directive
@@ -28,6 +28,7 @@
 
 [rationale]:
 Depending on the infrastructure being used the pool directive may not be supported.
+Using the server directive allows for better control of where the system gets time data from.
 
 [ident]:
 CCE-86077-5

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
@@ -3,16 +3,16 @@
 Verify Group Who Owns /etc/chrony.keys File
 
 [description]:
-To properly set the group owner of /etc/chrony.keys, run the command: $ sudo chgrp root /etc/chrony.keys
+To properly set the group owner of /etc/chrony.keys, run the command: $ sudo chgrp chrony /etc/chrony.keys
 
 [reference]:
 R50
 
 [rationale]:
-The ownership of the /etc/chrony.keys file by the root group is important
+The ownership of the /etc/chrony.keys file by the chrony group is important
 because this file hosts chrony cryptographic keys. Protection
 of this file is critical for system security. Assigning the ownership to
-root ensures exclusive control of the chrony cryptography keys.
+chrony ensures exclusive control of the chrony cryptography keys.
 
 [ident]:
 CCE-86373-8

OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- ocil:ssg-file_groupowner_etc_chrony_keys_ocil:questionnaire:1
+++ ocil:ssg-file_groupowner_etc_chrony_keys_ocil:questionnaire:1
@@ -2,6 +2,6 @@
 run the command:
 $ ls -lL /etc/chrony.keys
 If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/chrony.keys does not have a group owner of root?
+chrony
+      Is it the case that /etc/chrony.keys does not have a group owner of chrony?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-chgrp -L root /etc/chrony.keys
+chgrp -L chrony /etc/chrony.keys
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
@@ -12,10 +12,10 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Ensure group owner root on /etc/chrony.keys
+- name: Ensure group owner chrony on /etc/chrony.keys
   file:
     path: /etc/chrony.keys
-    group: root
+    group: chrony
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   - file_exists.stat is defined and file_exists.stat.exists

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_chrony_keys'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_chrony_keys
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_chrony_keys
@@ -9,10 +9,10 @@
 R50
 
 [rationale]:
-The ownership of the /etc/chrony.keys file by the root user is important
+The ownership of the /etc/chrony.keys file by the chrony user is important
 because this file hosts chrony cryptographic keys. Protection
 of this file is critical for system security. Assigning the ownership to
-root ensures exclusive control of the chrony cryptographic keys.
+chrony ensures exclusive control of the chrony cryptographic keys.
 
 [ident]:
 CCE-86379-5

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12415
This image was built from commit: b8d237d

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12415

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12415 make deploy-local

[codeclimate]

Code Climate has analyzed commit b8d237d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

[jan-cerny]

jcerny@fedora:~/work/git/scap-security-guide (pr/12415)$  python3 tests/automatus.py rule  --libvirt qemu:///system ssgts_rhel10 chrony_set_nts chronyd_server_directive
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-30-1157/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_server_directive
INFO - Script file_empty.fail.sh using profile (all) OK
INFO - Script file_missing.fail.sh using profile (all) OK
INFO - Script line_missing.fail.sh using profile (all) OK
INFO - Script multiple_servers.pass.sh using profile (all) OK
INFO - Script only_pool.fail.sh using profile (all) OK
INFO - Script only_server.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_chrony_set_nts
INFO - Script chrony_d_one_pool_missing.fail.sh using profile (all) OK
INFO - Script chrony_d_one_server_missing.fail.sh using profile (all) OK
INFO - Script chrony_no_pool_nor_servers.fail.sh using profile (all) OK
INFO - Script chrony_one_pool_configured.pass.sh using profile (all) OK
INFO - Script chrony_one_pool_missing.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12415)$  python3 tests/automatus.py rule  --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible chrony_set_nts chronyd_server_directive
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-30-1308/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_server_directive
INFO - Script file_empty.fail.sh using profile (all) OK
INFO - Script file_missing.fail.sh using profile (all) OK
INFO - Script line_missing.fail.sh using profile (all) OK
INFO - Script multiple_servers.pass.sh using profile (all) OK
INFO - Script only_pool.fail.sh using profile (all) OK
INFO - Script only_server.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_chrony_set_nts
INFO - Script chrony_d_one_pool_missing.fail.sh using profile (all) OK
INFO - Script chrony_d_one_server_missing.fail.sh using profile (all) OK
INFO - Script chrony_no_pool_nor_servers.fail.sh using profile (all) OK
INFO - Script chrony_one_pool_configured.pass.sh using profile (all) OK
INFO - Script chrony_one_pool_missing.fail.sh using profile (all) OK