Replace shell command with find for chrony.conf files on UBTU-20-010435

[dexterle]

Description:

• Fix UBTU-20-010435
• Enhance Ansible remediation to remove shell module calls

Rationale:

• Part of Ubuntu 20.04 DISA STIG v1r9 profile upgrade
• Ubuntu2004 stig profile v1r9 update #10738

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010435"

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout dexterle:add-manual-stig-ubtu-20-v1r9

This STIG can not be tested with the latest Ubuntu 2004 Benchmark SCAP. Please perform a manual check given the check text. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

[openshift-ci]

Hi @dexterle. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' differs.
--- xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
+++ xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
@@ -19,8 +19,8 @@
   tags:
     - always
 
-- name: Check that /etc/ntp.conf exist
-  stat:
+- name: Configure Time Service Maxpoll Interval - Check That /etc/ntp.conf Exist
+  ansible.builtin.stat:
     path: /etc/ntp.conf
   register: ntp_conf_exist_result
   when:
@@ -39,8 +39,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Update the maxpoll values in /etc/ntp.conf
-  replace:
+- name: Configure Time Service Maxpoll Interval - Update the Maxpoll Values in /etc/ntp.conf
+  ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: ^(server.*maxpoll)[ ]+[0-9]+(.*)$
     replace: \1 {{ var_time_service_set_maxpoll }}\2
@@ -61,8 +61,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Set the maxpoll values in /etc/ntp.conf
-  replace:
+- name: Configure Time Service Maxpoll Interval - Set the Maxpoll Values in /etc/ntp.conf
+  ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: (^server\s+((?!maxpoll).)*)$
     replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
@@ -83,8 +83,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check that /etc/chrony.conf exist
-  stat:
+- name: Configure Time Service Maxpoll Interval - Check That /etc/chrony.conf Exist
+  ansible.builtin.stat:
     path: /etc/chrony.conf
   register: chrony_conf_exist_result
   when:
@@ -103,18 +103,12 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Get get conf files from /etc/chrony.conf
-  shell: |
-    set -o pipefail
-    CHRONY_NAME=/etc/chrony.conf
-    CHRONY_PATH=${CHRONY_NAME%%.*}
-    find ${CHRONY_PATH}.* -type f -name '*.conf'
-  register: update_chrony_files
+- name: Configure Time Service Maxpoll Interval - Set Chrony Path Facts
+  ansible.builtin.set_fact:
+    chrony_path: /etc/chrony.conf
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
-  - chrony_conf_exist_result.stat.exists
-  changed_when: false
   tags:
   - CCE-84059-5
   - DISA-STIG-RHEL-08-030740
@@ -128,16 +122,16 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Update the maxpoll values in /etc/chrony.conf
-  replace:
-    path: '{{ item }}'
-    regexp: ^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$
-    replace: \1 {{ var_time_service_set_maxpoll }}\2
-  loop: '{{ update_chrony_files.stdout_lines|list|flatten|unique }}'
+- name: Configure Time Service Maxpoll Interval - Get Conf Files from {{ chrony_path
+    | dirname }}
+  ansible.builtin.find:
+    path: '{{ chrony_path | dirname }}'
+    patterns: '*.conf'
+    file_type: file
+  register: chrony_conf_files
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
-  - chrony_conf_exist_result.stat.exists
   tags:
   - CCE-84059-5
   - DISA-STIG-RHEL-08-030740
@@ -151,16 +145,16 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Set the maxpoll values in /etc/chrony.conf
-  replace:
-    path: '{{ item }}'
-    regexp: (^(?:server|pool|peer)\s+((?!maxpoll).)*)$
-    replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
-  loop: '{{ update_chrony_files.stdout_lines|list|flatten|unique }}'
+- name: Configure Time Service Maxpoll Interval - Update the Maxpoll Values in /etc/chrony.conf
+  ansible.builtin.replace:
+    path: '{{ item.path }}'
+    regexp: ^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$
+    replace: \1 {{ var_time_service_set_maxpoll }}\2
+  loop: '{{ chrony_conf_files.files }}'
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
-  - chrony_conf_exist_result.stat.exists
+  - chrony_conf_files.matched
   tags:
   - CCE-84059-5
   - DISA-STIG-RHEL-08-030740
@@ -173,3 +167,26 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
+- name: Configure Time Service Maxpoll Interval - Set the Maxpoll Values in /etc/chrony.conf
+  ansible.builtin.replace:
+    path: '{{ item.path }}'
+    regexp: (^(?:server|pool|peer)\s+((?!maxpoll).)*)$
+    replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
+  loop: '{{ chrony_conf_files.files }}'
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
+  - chrony_conf_files.matched
+  tags:
+  - CCE-84059-5
+  - DISA-STIG-RHEL-08-030740
+  - NIST-800-53-AU-12(1)
+  - NIST-800-53-AU-8(1)(b)
+  - NIST-800-53-CM-6(a)
+  - chronyd_or_ntpd_set_maxpoll
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy

[codeclimate]

Code Climate has analyzed commit 37f08d8 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

[marcusburghardt]

Great improvement. Thanks @dexterle