Merge pull request #12823 from alanmcanonical/ubt24_2311

Ubuntu 24.04: Implement 2.3.1.1 Ensure a single time synchronization daemon is in use
ComplianceAsCode · Jan 23, 2025 · 2d9b922 · 2d9b922
2 parents 12279d1 + 563a18f
commit 2d9b922
Show file tree

Hide file tree

Showing 12 changed files with 179 additions and 7 deletions.
diff --git a/components/chrony.yml b/components/chrony.yml
@@ -17,3 +17,4 @@ rules:
 - chronyd_no_chronyc_network
 - chronyd_or_ntpd_specify_multiple_servers
 - chronyd_sync_clock
+- service_chronyd_disabled
diff --git a/components/ntp.yml b/components/ntp.yml
@@ -22,15 +22,18 @@ rules:
 - ntpd_run_as_ntp_user
 - ntpd_specify_multiple_servers
 - ntpd_specify_remote_server
+- ntp_single_service_active
 - package_chrony_installed
 - package_ntp_installed
 - package_ntp_removed
 - package_timesyncd_installed
 - package_timesyncd_removed
 - service_chronyd_enabled
+- service_chronyd_disabled
 - service_chronyd_or_ntpd_enabled
 - service_ntp_enabled
 - service_ntpd_enabled
 - service_timesyncd_enabled
+- service_timesyncd_disabled
 - service_timesyncd_configured
 - service_timesyncd_root_distance_configured
diff --git a/components/systemd.yml b/components/systemd.yml
@@ -35,6 +35,7 @@ rules:
 - service_timesyncd_configured
 - service_timesyncd_root_distance_configured
 - service_timesyncd_enabled
+- service_timesyncd_disabled
 - socket_systemd-journal-remote_disabled
 - systemd_tmp_mount_enabled
 - systemd_journal_upload_server_tls

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -939,12 +939,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - package_chrony_installed
-      - package_ntp_installed
-      - package_timesyncd_installed
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.1.1.1.
+    rules:
+      - ntp_single_service_active
+    status: automated
 
   - id: 2.3.2.1
     title: Ensure systemd-timesyncd configured with authorized timeserver (Automated)
@@ -962,6 +959,7 @@ controls:
       - l1_server
       - l1_workstation
     rules:
+      - service_chronyd_disabled
       - service_timesyncd_enabled
     status: automated
 
@@ -995,7 +993,8 @@ controls:
       - l1_server
       - l1_workstation
     rules:
-      - service_chronyd_enabled
+      - "!service_chronyd_enabled"
+      - "!service_timesyncd_disabled"
     status: automated
 
   - id: 2.4.1.1

diff --git a/linux_os/guide/services/ntp/ntp_single_service_active/oval/shared.xml b/linux_os/guide/services/ntp/ntp_single_service_active/oval/shared.xml
@@ -0,0 +1,47 @@
+<def-group>
+  <!-- Check that exactly one time synchronization service is active -->
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+  {{{ oval_metadata("Ensure a Single Time Synchronization Service is in Use") }}}
+    <criteria>
+        <criterion comment="exactly one time synchronization service is active"
+            test_ref="test_{{{ rule_id }}}_single_active_timesync"/>
+    </criteria>
+  </definition>
+
+  <!-- Objects and states to identify active time synchronization services -->
+  <linux:systemdunitproperty_object id="obj_{{{ rule_id }}}_timesync_services" version="1"
+      comment="All active time synchronization services">
+    <linux:unit operation="pattern match">^(chrony|systemd-timesyncd).service$</linux:unit>
+    <linux:property>ActiveState</linux:property>
+    <filter action="include">ste_{{{ rule_id }}}_timesync_services</filter>
+  </linux:systemdunitproperty_object>
+
+  <linux:systemdunitproperty_state id="ste_{{{ rule_id }}}_timesync_services" version="1">
+    <linux:value>active</linux:value>
+  </linux:systemdunitproperty_state>
+
+  <!-- Count active time synchronization services -->
+  <local_variable id="var_{{{ rule_id }}}_timesync_active_count" datatype="int" version="1"
+                 comment="Number of currently active time synchronization services">
+   <count>
+     <regex_capture pattern="^active$">
+       <object_component item_field="value" object_ref="obj_{{{ rule_id }}}_timesync_services"/>
+     </regex_capture>
+   </count>
+  </local_variable>
+
+  <!-- Test that count equals one -->
+  <ind:variable_test id="test_{{{ rule_id }}}_single_active_timesync" version="1" check="all"
+                     comment="Verify exactly one time synchronization service is active">
+    <ind:object object_ref="obj_{{{ rule_id }}}_count"/>
+    <ind:state state_ref="ste_{{{ rule_id }}}_count"/>
+  </ind:variable_test>
+
+  <ind:variable_object id="obj_{{{ rule_id }}}_count" version="1">
+    <ind:var_ref>var_{{{ rule_id }}}_timesync_active_count</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="ste_{{{ rule_id }}}_count" version="1">
+    <ind:value operation="equals" datatype="int">1</ind:value>
+  </ind:variable_state>
+</def-group>
diff --git a/linux_os/guide/services/ntp/ntp_single_service_active/rule.yml b/linux_os/guide/services/ntp/ntp_single_service_active/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Ensure a Single Time Synchronization Service is in Use'
+
+description: |-
+    The system must have exactly one active time synchronization service to avoid conflicts
+    and ensure consistent time synchronization. Only one of the following services should be
+    enabled and active at any time:
+    <ul>
+        <li>chrony - A versatile NTP implementation</li>
+        <li>systemd-timesyncd - A lightweight NTP client</li>
+    </ul>
+    Having zero active time synchronization services leaves the system without accurate
+    time synchronization, while having multiple active services can lead to unexpected and
+    unreliable results.
+
+rationale: |-
+    Running multiple time synchronization services simultaneously can lead to conflicts
+    in time synchronization, unpredictable behavior, and unreliable results. A single service
+    ensures consistent and accurate time synchronization.
+
+    Having no active time synchronization service leaves the system without accurate
+    time synchronization, which can affect security mechanisms, log consistency, and forensic
+    investigations.
+
+severity: medium
+
+platform: machine
+
+warnings:
+    - general: |-
+        This rule does not come with a remediation. There are specific rules
+        for enabling each time synchronization service, which should be used instead.
diff --git a/linux_os/guide/services/ntp/ntp_single_service_active/tests/multiple.fail.sh b/linux_os/guide/services/ntp/ntp_single_service_active/tests/multiple.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# remediation = none
+
+{{{ bash_package_install("chrony") }}}
+{{{ bash_package_install("systemd-timesyncd") }}}
+
+systemctl stop chrony.service
+systemctl stop systemd-timesyncd.service
+systemctl disable chrony.service
+systemctl disable systemd-timesyncd.service
+
+systemctl start chrony.service
+systemctl start systemd-timesyncd.service
+systemctl enable chrony.service
+systemctl enable systemd-timesyncd.service
diff --git a/linux_os/guide/services/ntp/ntp_single_service_active/tests/none.fail.sh b/linux_os/guide/services/ntp/ntp_single_service_active/tests/none.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+
+{{{ bash_package_install("chrony") }}}
+{{{ bash_package_install("systemd-timesyncd") }}}
+
+systemctl stop chrony.service
+systemctl stop systemd-timesyncd.service
+systemctl disable chrony.service
+systemctl disable systemd-timesyncd.service
diff --git a/linux_os/guide/services/ntp/ntp_single_service_active/tests/single.pass.sh b/linux_os/guide/services/ntp/ntp_single_service_active/tests/single.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# remediation = none
+
+{{{ bash_package_install("chrony") }}}
+{{{ bash_package_install("systemd-timesyncd") }}}
+
+systemctl stop chrony.service
+systemctl stop systemd-timesyncd.service
+systemctl disable chrony.service
+systemctl disable systemd-timesyncd.service
+
+systemctl start chrony.service
+systemctl enable chrony.service
diff --git a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'The Chronyd service is disabled'
+
+description: |-
+    {{{ describe_service_disable(service="chrony") }}}
+
+rationale: |-
+    Disabling the <tt>chrony</tt> service ensures that there is
+    only single one time service running.
+
+severity: medium
+
+platform: package[chrony]
+
+template:
+    name: service_disabled
+    vars:
+        packagename: chrony
+        servicename: chronyd
+        servicename@ubuntu2004: chrony
+        servicename@ubuntu2204: chrony
+        servicename@debian12: chrony
diff --git a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+
+title: 'Disable systemd_timesyncd Service'
+
+description: |-
+    {{{ describe_service_disable(service="systemd_timesyncd") }}}
+
+rationale: |-
+    Disabling the <tt>systemd_timesyncd</tt> service ensures that there is
+    only single one time service running.
+    <br /><br />
+    Additional information on Ubuntu network time protocol is
+    available at
+    {{{ weblink(link="https://ubuntu.com/server/docs/about-time-synchronisation") }}}.
+
+severity: medium
+
+platform: package[systemd-timesyncd]
+
+template:
+    name: service_disabled
+    vars:
+        servicename: systemd-timesyncd
+        packagename: systemd-timesyncd
diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
@@ -118,6 +118,8 @@ args:
     pkgname: sudo
   systemd:
     pkgname: systemd
+  systemd-timesyncd:
+    pkgname: systemd-timesyncd
   telnet-server:
     pkgname: telnet-server
   tftp-server: