Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to _guard_var templates for timesync rules on Ubuntu 24.04 #12903

Merged
merged 4 commits into from
Jan 29, 2025
Merged

Switch to _guard_var templates for timesync rules on Ubuntu 24.04 #12903

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
84570c1
Create new variable var_timesync_service
mpurg Jan 27, 2025
f8559c6
Switch to selecting timesync with var_timesync_service on Ubuntu 24.04
mpurg Jan 27, 2025
5661775
Use _guard_var templates for timesync packages on Ubuntu 24.04
mpurg Jan 27, 2025
13f6dbc
Use _guard_var templates for timesync services on Ubuntu 24.04
mpurg Jan 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions controls/cis_ubuntu2404.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -940,8 +940,18 @@ controls:
- l1_server
- l1_workstation
rules:
- var_timesync_service=systemd-timesyncd
- package_chrony_installed
- service_chronyd_enabled
- service_chronyd_disabled
- package_timesyncd_installed
- service_timesyncd_enabled
- service_timesyncd_disabled
- ntp_single_service_active
status: automated
notes: |
To select which timesync daemon to install and configure, use the
profile variable var_timesync_service.

- id: 2.3.2.1
title: Ensure systemd-timesyncd configured with authorized timeserver (Automated)
Expand All @@ -958,10 +968,11 @@ controls:
levels:
- l1_server
- l1_workstation
rules:
- service_chronyd_disabled
related_rules:
- service_timesyncd_enabled
- service_timesyncd_disabled
status: automated
notes: Implemented in 2.3.1.1

- id: 2.3.3.1
title: Ensure chrony is configured with authorized timeserver (Automated)
Expand All @@ -977,7 +988,6 @@ controls:
Rule does not check or remediate config files included via
confdir and sourcedir directives.


- id: 2.3.3.2
title: Ensure chrony is running as user _chrony (Automated)
levels:
Expand All @@ -992,10 +1002,11 @@ controls:
levels:
- l1_server
- l1_workstation
rules:
- "!service_chronyd_enabled"
- "!service_timesyncd_disabled"
related_rules:
- service_chronyd_enabled
- service_chronyd_disabled
status: automated
notes: Implemented in 2.3.1.1

- id: 2.4.1.1
title: Ensure cron daemon is enabled and active (Automated)
Expand Down
10 changes: 9 additions & 1 deletion linux_os/guide/services/ntp/package_chrony_installed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ rationale: |-

severity: medium


identifiers:
cce@rhel8: CCE-82874-9
cce@rhel9: CCE-84215-3
Expand Down Expand Up @@ -46,7 +45,16 @@ fixtext: '{{{ describe_package_install(package="chrony") }}}'

srg_requirement: '{{{ srg_requirement_package_installed("chrony") }}}'

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
pkgname: chrony
variable: var_timesync_service
value: chronyd
{{%- else %}}
template:
name: package_installed
vars:
pkgname: chrony
{{%- endif %}}
9 changes: 9 additions & 0 deletions linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,16 @@ references:
nist-csf: PR.PT-1
pcidss: Req-10.4

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
pkgname: systemd-timesyncd
variable: var_timesync_service
value: systemd-timesyncd
{{%- else %}}
template:
name: package_installed
vars:
pkgname: systemd-timesyncd
{{%- endif %}}
9 changes: 9 additions & 0 deletions linux_os/guide/services/ntp/package_timesyncd_removed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,16 @@ references:
disa: CCI-000366
stigid@ubuntu2204: UBTU-22-215020

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_removed_guard_var
vars:
pkgname: systemd-timesyncd
variable: var_timesync_service
value: systemd-timesyncd
{{%- else %}}
template:
name: package_removed
vars:
pkgname: systemd-timesyncd
{{%- endif %}}
10 changes: 10 additions & 0 deletions linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@ severity: medium

platform: package[chrony]

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: service_disabled_guard_var
vars:
packagename: chrony
servicename: chrony
variable: var_timesync_service
value: chronyd
{{%- else %}}
template:
name: service_disabled
vars:
Expand All @@ -21,3 +30,4 @@ template:
servicename@ubuntu2004: chrony
servicename@ubuntu2204: chrony
servicename@debian12: chrony
{{%- endif %}}
10 changes: 10 additions & 0 deletions linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,15 @@ fixtext: '{{{ fixtext_service_enabled(service="chronyd") }}}'

srg_requirement: '{{{ srg_requirement_service_enabled(service="chronyd") }}}'

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: service_enabled_guard_var
vars:
packagename: chrony
servicename: chrony
variable: var_timesync_service
value: chronyd
{{%- else %}}
template:
name: service_enabled
vars:
Expand All @@ -49,3 +58,4 @@ template:
servicename@ubuntu2004: chrony
servicename@ubuntu2204: chrony
servicename@debian12: chrony
{{%- endif %}}
11 changes: 10 additions & 1 deletion linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Disable systemd_timesyncd Service'

description: |-
Expand All @@ -18,8 +17,18 @@ severity: medium

platform: package[systemd-timesyncd]

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: service_disabled_guard_var
vars:
packagename: systemd-timesyncd
servicename: systemd-timesyncd
variable: var_timesync_service
value: systemd-timesyncd
{{%- else %}}
template:
name: service_disabled
vars:
servicename: systemd-timesyncd
packagename: systemd-timesyncd
{{%- endif %}}
10 changes: 10 additions & 0 deletions linux_os/guide/services/ntp/service_timesyncd_enabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,18 @@ references:
ocil: |-
{{{ ocil_service_enabled(service="systemd_timesyncd") }}}

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: service_enabled_guard_var
vars:
packagename: systemd-timesyncd
servicename: systemd-timesyncd
variable: var_timesync_service
value: systemd-timesyncd
{{%- else %}}
template:
name: service_enabled
vars:
servicename: systemd-timesyncd
packagename: systemd
{{%- endif %}}
17 changes: 17 additions & 0 deletions linux_os/guide/services/ntp/var_timesync_service.var
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
documentation_complete: true

title: 'Time synchronization service'

description: |-
Time synchronization service: systemd-timesyncd or chronyd

type: string

operator: equals

interactive: true

options:
systemd-timesyncd: systemd-timesyncd
chronyd: chronyd
default: systemd-timesyncd
Loading