-
Notifications
You must be signed in to change notification settings - Fork 670
/
rule.yml
36 lines (26 loc) · 1.05 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
documentation_complete: true
prodtype: fedora,rhcos4,ol8,rhel8
title: 'Disable chrony daemon from acting as server'
description: |-
The <tt>port</tt> option in <tt>/etc/chrony.conf</tt> can be set to
<tt>0</tt> to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode.
rationale: |-
Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface.
severity: low
platform: machine # The check uses service_... extended definition, which doesnt support offline mode
identifiers:
cce@rhel8: CCE-82988-7
cce@rhcos4: CCE-82465-6
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000096-GPOS-00050,SRG-OS-000095-GPOS-00049
stigid@rhel8: RHEL-08-030741
disa: CCI-000381
ocil_clause: 'it does not exist or port is set to non-zero value'
ocil: |-
To verify that <tt>port</tt> has been set properly, perform the following:
<pre>$ grep '\bport\b' /etc/chrony.conf</pre>
The output should return
<pre>port 0</pre>