Skip to content

Fix chrony remediation to use confdir instead of include#14636

Merged
yuumasato merged 1 commit intoComplianceAsCode:masterfrom
Vincent056:fix-chrony-remediation-confdir
Apr 10, 2026
Merged

Fix chrony remediation to use confdir instead of include#14636
yuumasato merged 1 commit intoComplianceAsCode:masterfrom
Vincent056:fix-chrony-remediation-confdir

Conversation

@Vincent056
Copy link
Copy Markdown
Contributor

@Vincent056 Vincent056 commented Apr 10, 2026

Summary

  • The OVAL check for chronyd_specify_remote_server was refactored in 6c23929 to parse confdir/sourcedir directives from chrony.conf to locate NTP server entries in sub-config files.
  • The chrony MachineConfig remediation still uses include /etc/chrony.d/*.conf, which the updated OVAL does not follow, causing the rule to FAIL after remediation despite servers being correctly configured.
  • Replace include /etc/chrony.d/*.conf with confdir /etc/chrony.d — functionally equivalent for chrony and recognized by the OVAL check.

@Vincent056 @claude
Use confdir instead of include in chrony MachineConfig remediation
eb38374 
The OVAL check for chronyd_specify_remote_server was updated in
6c23929 to parse confdir/sourcedir directives instead of scanning
chrony.d directly. The remediation still used "include /etc/chrony.d/*.conf"
which the OVAL check does not follow, causing the rule to FAIL after
remediation.

Replace "include /etc/chrony.d/*.conf" with "confdir /etc/chrony.d"
which is functionally equivalent for chrony and is recognized by the
OVAL check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuumasato yuumasato self-assigned this Apr 10, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 10, 2026

@Vincent056: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance eb38374 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@yuumasato yuumasato added this to the 0.1.81 milestone Apr 10, 2026
yuumasato
yuumasato approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@yuumasato yuumasato merged commit c252039 into ComplianceAsCode:master Apr 10, 2026
63 of 65 checks passed
yuumasato added a commit to yuumasato/scap-security-guide that referenced this pull request Apr 11, 2026
@yuumasato
Merge pull request ComplianceAsCode#14636 from Vincent056/fix-chrony-…
801bd43 
…remediation-confdir

Fix chrony remediation to use confdir instead of include
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels

None yet

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

2 participants

@Vincent056 @yuumasato