From 84570c18cdb33beb3c8c7732af18e922d822e2e5 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 27 Jan 2025 10:27:53 +0100 Subject: [PATCH 1/4] Create new variable var_timesync_service The variable is used to select the desired timesync service (systemd-timesync vs chrony) in package/service install/enable rules when using _guard_var templates. Analogous to var_network_filtering_service introduced in #11818 --- .../guide/services/ntp/var_timesync_service.var | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 linux_os/guide/services/ntp/var_timesync_service.var diff --git a/linux_os/guide/services/ntp/var_timesync_service.var b/linux_os/guide/services/ntp/var_timesync_service.var new file mode 100644 index 00000000000..aa820c0db2c --- /dev/null +++ b/linux_os/guide/services/ntp/var_timesync_service.var @@ -0,0 +1,17 @@ +documentation_complete: true + +title: 'Time synchronization service' + +description: |- + Time synchronization service: systemd-timesyncd or chronyd + +type: string + +operator: equals + +interactive: true + +options: + systemd-timesyncd: systemd-timesyncd + chronyd: chronyd + default: systemd-timesyncd From f8559c66a271b2cd0bb462143b3b78ba74908605 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 27 Jan 2025 10:21:30 +0100 Subject: [PATCH 2/4] Switch to selecting timesync with var_timesync_service on Ubuntu 24.04 --- controls/cis_ubuntu2404.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 157148af86a..91175c5f03e 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -940,8 +940,18 @@ controls: - l1_server - l1_workstation rules: + - var_timesync_service=systemd-timesyncd + - package_chrony_installed + - service_chronyd_enabled + - service_chronyd_disabled + - package_timesyncd_installed + - service_timesyncd_enabled + - service_timesyncd_disabled - ntp_single_service_active status: automated + notes: | + To select which timesync daemon to install and configure, use the + profile variable var_timesync_service. - id: 2.3.2.1 title: Ensure systemd-timesyncd configured with authorized timeserver (Automated) @@ -958,10 +968,11 @@ controls: levels: - l1_server - l1_workstation - rules: - - service_chronyd_disabled + related_rules: - service_timesyncd_enabled + - service_timesyncd_disabled status: automated + notes: Implemented in 2.3.1.1 - id: 2.3.3.1 title: Ensure chrony is configured with authorized timeserver (Automated) @@ -977,7 +988,6 @@ controls: Rule does not check or remediate config files included via confdir and sourcedir directives. - - id: 2.3.3.2 title: Ensure chrony is running as user _chrony (Automated) levels: @@ -992,10 +1002,11 @@ controls: levels: - l1_server - l1_workstation - rules: - - "!service_chronyd_enabled" - - "!service_timesyncd_disabled" + related_rules: + - service_chronyd_enabled + - service_chronyd_disabled status: automated + notes: Implemented in 2.3.1.1 - id: 2.4.1.1 title: Ensure cron daemon is enabled and active (Automated) From 56617759b87c9412135f7a95f43c63a310a796b2 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 27 Jan 2025 10:40:09 +0100 Subject: [PATCH 3/4] Use _guard_var templates for timesync packages on Ubuntu 24.04 --- .../services/ntp/package_chrony_installed/rule.yml | 10 +++++++++- .../services/ntp/package_timesyncd_installed/rule.yml | 9 +++++++++ .../services/ntp/package_timesyncd_removed/rule.yml | 9 +++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml index f77ef6af476..235732f4e30 100644 --- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium - identifiers: cce@rhel8: CCE-82874-9 cce@rhel9: CCE-84215-3 @@ -46,7 +45,16 @@ fixtext: '{{{ describe_package_install(package="chrony") }}}' srg_requirement: '{{{ srg_requirement_package_installed("chrony") }}}' +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: package_installed_guard_var + vars: + pkgname: chrony + variable: var_timesync_service + value: chronyd +{{%- else %}} template: name: package_installed vars: pkgname: chrony +{{%- endif %}} diff --git a/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml b/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml index f13c98060e9..f914a5fe346 100644 --- a/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml @@ -22,7 +22,16 @@ references: nist-csf: PR.PT-1 pcidss: Req-10.4 +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: package_installed_guard_var + vars: + pkgname: systemd-timesyncd + variable: var_timesync_service + value: systemd-timesyncd +{{%- else %}} template: name: package_installed vars: pkgname: systemd-timesyncd +{{%- endif %}} diff --git a/linux_os/guide/services/ntp/package_timesyncd_removed/rule.yml b/linux_os/guide/services/ntp/package_timesyncd_removed/rule.yml index 47c61d33e38..4fbf2138708 100644 --- a/linux_os/guide/services/ntp/package_timesyncd_removed/rule.yml +++ b/linux_os/guide/services/ntp/package_timesyncd_removed/rule.yml @@ -18,7 +18,16 @@ references: disa: CCI-000366 stigid@ubuntu2204: UBTU-22-215020 +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: package_removed_guard_var + vars: + pkgname: systemd-timesyncd + variable: var_timesync_service + value: systemd-timesyncd +{{%- else %}} template: name: package_removed vars: pkgname: systemd-timesyncd +{{%- endif %}} From 13f6dbc5a83a83e548814550362ae33291afcd0b Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 27 Jan 2025 10:49:01 +0100 Subject: [PATCH 4/4] Use _guard_var templates for timesync services on Ubuntu 24.04 --- .../services/ntp/service_chronyd_disabled/rule.yml | 10 ++++++++++ .../services/ntp/service_chronyd_enabled/rule.yml | 10 ++++++++++ .../services/ntp/service_timesyncd_disabled/rule.yml | 11 ++++++++++- .../services/ntp/service_timesyncd_enabled/rule.yml | 10 ++++++++++ 4 files changed, 40 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml index 58733e2ec9e..75cfd848618 100644 --- a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml @@ -13,6 +13,15 @@ severity: medium platform: package[chrony] +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: service_disabled_guard_var + vars: + packagename: chrony + servicename: chrony + variable: var_timesync_service + value: chronyd +{{%- else %}} template: name: service_disabled vars: @@ -21,3 +30,4 @@ template: servicename@ubuntu2004: chrony servicename@ubuntu2204: chrony servicename@debian12: chrony +{{%- endif %}} diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml index 9623fd696aa..863ee78ba12 100644 --- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -41,6 +41,15 @@ fixtext: '{{{ fixtext_service_enabled(service="chronyd") }}}' srg_requirement: '{{{ srg_requirement_service_enabled(service="chronyd") }}}' +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: service_enabled_guard_var + vars: + packagename: chrony + servicename: chrony + variable: var_timesync_service + value: chronyd +{{%- else %}} template: name: service_enabled vars: @@ -49,3 +58,4 @@ template: servicename@ubuntu2004: chrony servicename@ubuntu2204: chrony servicename@debian12: chrony +{{%- endif %}} diff --git a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml index 4128dcd2104..068d5079f7d 100644 --- a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml +++ b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Disable systemd_timesyncd Service' description: |- @@ -18,8 +17,18 @@ severity: medium platform: package[systemd-timesyncd] +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: service_disabled_guard_var + vars: + packagename: systemd-timesyncd + servicename: systemd-timesyncd + variable: var_timesync_service + value: systemd-timesyncd +{{%- else %}} template: name: service_disabled vars: servicename: systemd-timesyncd packagename: systemd-timesyncd +{{%- endif %}} diff --git a/linux_os/guide/services/ntp/service_timesyncd_enabled/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_enabled/rule.yml index 7e2ee284164..e0e0f1dd412 100644 --- a/linux_os/guide/services/ntp/service_timesyncd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_timesyncd_enabled/rule.yml @@ -43,8 +43,18 @@ references: ocil: |- {{{ ocil_service_enabled(service="systemd_timesyncd") }}} +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: service_enabled_guard_var + vars: + packagename: systemd-timesyncd + servicename: systemd-timesyncd + variable: var_timesync_service + value: systemd-timesyncd +{{%- else %}} template: name: service_enabled vars: servicename: systemd-timesyncd packagename: systemd +{{%- endif %}}