Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implements CIS Benchmark - 2.1.2 Ensure chrony is configured #236

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Implements CIS Benchmark - 2.1.2 Ensure chrony is configured #236

wants to merge 2 commits into from

Conversation

brakkio86
Copy link

Enhancement:
I changed the template for chrony sysconfig in order to implement CIS Benchmark recomendation for RHEL.

Reason:
Be compatible with CIS Benchmark "2.1.2 Ensure chrony is configured" on a RHEL.

Result:
CIS Benchmark compatible.

Issue Tracker Tickets (Jira or BZ if any):
N.A.

@spetrosi
Copy link
Contributor

spetrosi commented Apr 2, 2024

[citest]

@spetrosi spetrosi changed the title implements CIS Benchmark - 2.1.2 Ensure chrony is configured feat: Implements CIS Benchmark - 2.1.2 Ensure chrony is configured Apr 2, 2024
@mlichvar
Copy link
Collaborator

mlichvar commented Apr 2, 2024

-u chrony is the default on RHEL. It doesn't need to be set. Other distributions may have different names for the user.

richm
richm requested changes Apr 2, 2024
View reviewed changes
Copy link
Collaborator

@richm richm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mlichvar - so the PR as it stands needs some work so that it will only set -u chrony on those platforms that do not set a default user.

@brakkio86
Copy link
Author

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file.
Thanks,
Francesco

@richm
Copy link
Collaborator

richm commented Apr 3, 2024

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

I'm not sure what you are trying to do. Are you running some sort of CIS compliance scanner that is complaining that chronyd is not using -u chrony? If so, then it seems to be that the right answer isn't to force -u chrony using this role.

@brakkio86
Copy link
Author

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

I'm not sure what you are trying to do. Are you running some sort of CIS compliance scanner that is complaining that chronyd is not using -u chrony? If so, then it seems to be that the right answer isn't to force -u chrony using this role.

Yes, I'm appling CIS compliant configuration. On the other hand, this role broke the configuation as it removes -u chrony settings. What do you suggest?

@richm
Copy link
Collaborator

richm commented Apr 4, 2024

Hello, in RHEL the compiled-in default user is "chrony" user, on the other hand, CIS benchmark want to be sure that is also the effective configuration. Is it possible to add a check in order to implements it only on RHEL. Another way to allow the implementation is to allow to customization of the sysconfig file. Thanks, Francesco

I'm not sure what you are trying to do. Are you running some sort of CIS compliance scanner that is complaining that chronyd is not using -u chrony? If so, then it seems to be that the right answer isn't to force -u chrony using this role.

Yes, I'm appling CIS compliant configuration. On the other hand, this role broke the configuation as it removes -u chrony settings. What do you suggest?

Well, as @mlichvar says, the default on RHEL is -u chrony. So for CIS compliance, do you just need a way to determine what that default value is?

@brakkio86
Copy link
Author

Well, as @mlichvar says, the default on RHEL is -u chrony. So for CIS compliance, do you just need a way to determine what that default value is?

Unfotunally no, CIS Security mandatory requires explicit user in /etc/sysconfig/chronyd. Maybe is it possbible to parametrize OPTIONS section in /etc/sysconfig/chronyd.

@mlichvar
Copy link
Collaborator

If a new option needs to be added to the role for this, I'd prefer a more general approach specifying directly the additional chronyd options included in /etc/sysconfig/chronyd, e.g. timesync_chronyd_custom_options.

@richm
Copy link
Collaborator

richm commented Apr 10, 2024

If a new option needs to be added to the role for this, I'd prefer a more general approach specifying directly the additional chronyd options included in /etc/sysconfig/chronyd, e.g. timesync_chronyd_custom_options.

The role already has timesync_chrony_custom_settings - so maybe timesync_chrony_sysconfig_settings for settings applied to /etc/sysconfig/chrony?

@mlichvar
Copy link
Collaborator

Some systems don't have sysconfig, e.g. on Debian the options are in /etc/default/chrony, so the I think the name should be general enough to work on all potentially supported distros.

@richm
Copy link
Collaborator

richm commented Apr 10, 2024

Some systems don't have sysconfig, e.g. on Debian the options are in /etc/default/chrony, so the I think the name should be general enough to work on all potentially supported distros.

Ok - what about timesync_chrony_service_settings?

@mlichvar
Copy link
Collaborator

That's better. I'm not sure if it's clear enough that it's the command-line options. I suspect someone could confuse it with the systemd service settings.

@brakkio86
Copy link
Author

Hello, I've updated with the suggestion and using timesync_chrony_service_settings. What do you think now?

@richm
Copy link
Collaborator

richm commented Jun 10, 2024

[citest]

@richm
Copy link
Collaborator

richm commented Jun 10, 2024

How can we test this? e.g. add or modify a test in https://github.com/linux-system-roles/timesync/tree/main/tests ?

@richm richm closed this Jun 10, 2024
@richm richm reopened this Jun 10, 2024
@richm
Copy link
Collaborator

richm commented Jun 10, 2024

I had to close and reopen the PR to trigger checks - not sure why the checks were not being run . . .

@richm
Copy link
Collaborator

richm commented Aug 1, 2024

Need a test for this in tests/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richm richm richm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@brakkio86 @spetrosi @mlichvar @richm