Update chrony rules for RHEL 10

.mailmap

@@ -22,6 +22,7 @@ Ted Brunell <[email protected]> <[email protected]>
 Marcus Burghardt <[email protected]> <[email protected]>
 Marcus Burghardt <[email protected]> <[email protected]>
 
+Matthew Burket <[email protected]>
 Matthew Burket <[email protected]> <[email protected]>
 
 Frank Caviggia <[email protected]> <[email protected]>

components/chrony.yml

@@ -11,3 +11,4 @@ rules:
 - file_permissions_etc_chrony_keys
 - package_chrony_installed
 - service_chronyd_enabled
+- chrony_set_nts

components/ntp.yml

@@ -11,6 +11,7 @@ rules:
 - chronyd_or_ntpd_specify_multiple_servers
 - chronyd_or_ntpd_specify_remote_server
 - chronyd_run_as_chrony_user
+- chrony_set_nts
 - chronyd_server_directive
 - chronyd_specify_remote_server
 - chronyd_sync_clock

controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml

@@ -244,5 +244,6 @@ controls:
             - installed_OS_is_vendor_supported
             - selinux_all_devicefiles_labeled
             - xwindows_remove_packages
+            - chrony_set_nts
 
         status: automated

linux_os/guide/services/ntp/chrony_set_nts/ansible/shared.yml

@@ -0,0 +1,48 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "{{{ rule_title }}} - Check That /etc/ntp.conf Exist"
+  ansible.builtin.stat:
+    path: /etc/ntp.conf
+  register: ntp_conf_exist_result
+
+- name: "{{{ rule_title }}} - Set the nts Values in /etc/ntp.conf"
+  ansible.builtin.replace:
+    path: /etc/ntp.conf
+    regexp: '(^server\s+((?!nts).)*)$'
+    replace: '\1 nts\n'
+  when: ntp_conf_exist_result.stat.exists
+
+# Chrony, need to hand chrony.conf and any file in chrony.d
+# since chrony_conf_path is the full path to chrony.conf
+# and includes chrony.conf, that must be handled as well
+
+- name: "{{{ rule_title }}} - Check That {{{ chrony_conf_path }}} Exist"
+  ansible.builtin.stat:
+    path: {{{ chrony_conf_path }}}
+  register: chrony_conf_exist_result
+
+- name: "{{{ rule_title }}} - Set the nts Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{{ chrony_conf_path }}}"
+    regexp: '(^(?:server|pool|peer)\s+((?!nts).)*)$'
+    replace: '\1 nts\n'
+  when: chrony_conf_exist_result.stat.exists
+
+- name: "{{{ rule_title }}} - Get Conf Files from {{{ chrony_d_path }}}"
+  ansible.builtin.find:
+    path: "{{{ chrony_d_path }}}"
+    patterns: '*.conf'
+    file_type: file
+  register: chrony_d_conf_files
+
+- name: "{{{ rule_title }}} - Set the maxpoll Values in {{{ chrony_d_path }}}"
+  ansible.builtin.replace:
+    path: "{{ item.path }}"
+    regexp: '(^(?:server|pool|peer)\s+((?!maxpoll).)*)$'
+    replace: '\1 nts\n'
+  loop: '{{ chrony_d_conf_files.files }}'
+  when: chrony_d_conf_files.matched

linux_os/guide/services/ntp/chrony_set_nts/bash/shared.sh

@@ -0,0 +1,23 @@
+# platform = multi_platform_all
+
+{{% if 'sle' in product or 'ubuntu' in product %}}
+pof="/bin/pidof"
+{{% else %}}
+pof="/usr/sbin/pidof"
+{{% endif %}}
+
+CONFIG_FILES="/etc/ntp.conf"
+$pof ntpd || {
+    CHRONY_D_PATH={{{ chrony_d_path }}}
+    mapfile -t CONFIG_FILES < <(find ${CHRONY_D_PATH}.* -type f -name '*.conf')
+    CONFIG_FILES+=({{{ chrony_conf_path }}})
+}
+
+# get list of ntp files
+
+for config_file in "${CONFIG_FILES[@]}" ; do
+    # Add maxpoll to server, pool or peer entries without maxpoll
+    grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
+        sed -i "s/$line/& nts/" "$config_file"
+    done
+done

linux_os/guide/services/ntp/chrony_set_nts/oval/shared.xml

@@ -0,0 +1,27 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Configure the nts setting in /etc/ntp.conf or chrony.conf to use NTS on all time servers.") }}}
+        <criteria>
+            <criterion test_ref="test_chrony_all_server_has_nts"></criterion>
+        </criteria>
+    </definition>
+
+    {{% set filepath_regex = "^(" + chrony_conf_path | replace(".", "\.") + "|" + chrony_d_path | replace(".", "\.") + ".+\.conf)$" %}}
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist"
+    comment="check if all server entries have nts set in {{{ chrony_conf_path }}} or {{{ chrony_d_path }}}"
+    id="test_chrony_all_server_has_nts" version="1">
+      <ind:object object_ref="obj_chrony_all_server_has_nts" />
+      <ind:state state_ref="state_chrony_all_server_has_nts" />
+    </ind:textfilecontent54_test>
+    <ind:textfilecontent54_object id="obj_chrony_all_server_has_nts" version="1">
+      <ind:filepath operation="pattern match">{{{ filepath_regex }}}</ind:filepath>
+      <ind:pattern operation="pattern match">^(?:server|pool|peer)[\s]+[\S]+[\s]+(.*)</ind:pattern>
+      <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_state id="state_chrony_all_server_has_nts" version="1">
+      <ind:subexpression operation="pattern match" datatype="string">nts</ind:subexpression>
+    </ind:textfilecontent54_state>
+
+</def-group>

linux_os/guide/services/ntp/chrony_set_nts/policy/stig/shared.yml

@@ -0,0 +1,17 @@
+srg_requirement: '{{{ full_name }}} must use encryption for NTP communications.'
+
+vuldiscussion: |-
+
+checktext: |-
+    Verify that {{{ full_name }}} uses encryption for NTP communications.
+
+    $ sudo grep nts /etc/ntp.conf /etc/chrony.conf
+
+    server [ntp.server.name] iburst maxpoll 10 nts
+
+    If "nts" is commented out or is missing, this is a finding.
+
+fixtext: |-
+    Configure {{{ full_name }}} to use encryption for NTP communications.
+
+    server [ntp.server.name] iburst maxpoll 10 nts

linux_os/guide/services/ntp/chrony_set_nts/rule.yml

@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'Configure Time Service to use NTS'
+
+description: |-
+    The system should be configured to use time servers that support Network Time Security (NTS).
+    The specified time server must support NTS and must be configured to use NTS.
+    To configure NTS for given time server add <tt>nts</tt> to each <tt>server</tt> or <tt>pool</tt> line in <tt>{{{ chrony_conf_path }}}</tt>.
+
+rationale: |-
+    Network Time Security (NTS) uses Transport Layer Security (TLS) to secure Network Time Protocol (NTP) communications.
+    Not using NTS could allow an attacker to interpret and modify the data sent back from the time server
+    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.
+    Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
+    Sources outside the configured acceptable allowance (drift) may be inaccurate.
+
+identifiers:
+    cce@rhel10: CCE-86471-0
+
+severity: medium
+
+platforms:
+    - package[chrony]

linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_pool_missing.fail.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_rhel
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" {{{ chrony_d_path }}}/20-pools.conf
+
+echo "pool pool.ntp.org iburst" >> {{{ chrony_d_path }}}/20-pools.conf
+
+systemctl enable chronyd.service
+

linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_server_missing.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_rhel
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all pool options
+sed -i "/^pool.*/d" {{{ chrony_d_path }}}/10-servers.conf
+
+if ! grep "^server.*maxpoll 10" {{{ chrony_d_path }}}/10-servers.conf ; then
+    sed -i "s/^server.*/& maxpoll 10/" {{{ chrony_d_path }}}/10-servers.conf
+fi
+
+echo "server test.ntp.org" >> {{{ chrony_d_path }}}/10-servers.conf
+
+systemctl enable chronyd.service

linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_no_pool_nor_servers.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = chrony
+# remediation = none
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all pool and server options
+sed -i "/^pool.*/d" {{{ chrony_conf_path }}}
+sed -i "/^server.*/d" {{{ chrony_conf_path }}}
+
+systemctl enable chronyd.service

linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_one_pool_configured.pass.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" {{{ chrony_conf_path }}}
+
+echo "pool pool.ntp.org iburst nts" >> {{{ chrony_conf_path }}}
+
+systemctl enable chronyd.service
+

linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_one_pool_missing.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+
+{{{ bash_package_remove("ntp") }}}
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" {{{ chrony_conf_path }}}
+
+echo "pool pool.ntp.org iburst" >> {{{ chrony_conf_path }}}
+
+systemctl enable chronyd.service
+

linux_os/guide/services/ntp/chronyd_server_directive/rule.yml

@@ -7,6 +7,7 @@ description: |-
 
 rationale: |-
     Depending on the infrastructure being used the <tt>pool</tt> directive may not be supported.
+    Using the <tt>server</tt> directive allows for better control of where the system gets time data from.
 
 severity: medium
 

linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/rule.yml

@@ -2,13 +2,13 @@ documentation_complete: true
 
 title: Verify Group Who Owns /etc/chrony.keys File
 
-description: '{{{ describe_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+description: '{{{ describe_file_group_owner(file="/etc/chrony.keys", group="chrony") }}}'
 
 rationale: |-
-    The ownership of the /etc/chrony.keys file by the root group is important
+    The ownership of the /etc/chrony.keys file by the chrony group is important
     because this file hosts chrony cryptographic keys. Protection
     of this file is critical for system security. Assigning the ownership to
-    root ensures exclusive control of the chrony cryptography keys.
+    chrony ensures exclusive control of the chrony cryptography keys.
 
 severity: medium
 
@@ -17,17 +17,17 @@ identifiers:
     cce@rhel9: CCE-86374-6
     cce@rhel10: CCE-87112-9
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/chrony.keys", group="chrony") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/chrony.keys", group="root") }}}
+    {{{ ocil_file_group_owner(file="/etc/chrony.keys", group="chrony") }}}
 
-fixtext: '{{{ fixtext_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/chrony.keys", group="chrony") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/chrony.keys", group="chrony") }}}'
 
 template:
     name: file_groupowner
     vars:
         filepath: /etc/chrony.keys
-        gid_or_name: root
+        gid_or_name: chrony

linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml

@@ -5,10 +5,10 @@ title: Verify User Who Owns /etc/chrony.keys File
 description: '{{{ describe_file_owner(file="/etc/chrony.keys", owner="root") }}}'
 
 rationale: |-
-    The ownership of the /etc/chrony.keys file by the root user is important
+    The ownership of the /etc/chrony.keys file by the chrony user is important
     because this file hosts chrony cryptographic keys. Protection
     of this file is critical for system security. Assigning the ownership to
-    root ensures exclusive control of the chrony cryptographic keys.
+    chrony ensures exclusive control of the chrony cryptographic keys.
 
 severity: medium
 

shared/references/cce-redhat-avail.txt

@@ -53,7 +53,6 @@ CCE-86466-0
 CCE-86468-6
 CCE-86469-4
 CCE-86470-2
-CCE-86471-0
 CCE-86472-8
 CCE-86473-6
 CCE-86474-4

shared/schemas/rule_policy_content.json

@@ -0,0 +1,20 @@
+{
+    "$id": "http://complianceascode.io/schemas/1.0/variable.json",
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "type": "object",
+    "properties": {
+        "checktext": {
+            "type": "string"
+        },
+        "fixtext": {
+            "type": "string"
+        },
+        "srg_requirement": {
+            "type": "string"
+        },
+        "vuldiscussion": {
+            "type":"string"
+        }
+    },
+    "uniqueItems": true
+}