Relax chrony check and remediations

[matejak]

Description:

I have verified that the '-u chrony' in OPTIONS is not needed on RHEL7-9, nor on Fedora.
The chrony user is the one that is used to run the service.
As a result, I have updated the check, remediations and description.

I have also updated existing check + remediation content wrt POSIX CLI standards.

Rationale:

Having correct configuration labelled as incompliant just adds noise.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2077531

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL definition oval:ssg-chronyd_run_as_chrony_user:def:1 differs:
--- old datastream
+++ new datastream
- criteria OR
- criterion oval:ssg-test_chronyd_run_as_chrony_user:tst:1
- criterion oval:ssg-test_chronyd_run_as_chrony_user_config_file_exists:tst:1
+ criterion oval:ssg-test_no_user_override:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,4 @@
-Run the following command and verify that -u chrony is included in OPTIONS:
-# grep "^OPTIONS" /etc/sysconfig/chronyd
-OPTIONS="-u chrony"
+# grep "^OPTIONS.*-u" /etc/sysconfig/chronyd | grep -v -e '-u\s*chrony\b'
+returns no output
 Is it the case that chronyd is not running under chrony user account?
 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' differs:
--- old datastream
+++ new datastream
@@ -4,7 +4,13 @@
 if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
 # trying to solve cases where the parameter after OPTIONS
 #may or may not be enclosed in quotes
- sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
+ sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1\2/' /etc/sysconfig/chronyd
+fi
+
+if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
+ # trying to solve cases where the parameter after OPTIONS
+ #may or may not be enclosed in quotes
+ sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
 else
 echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' differs:
--- old datastream
+++ new datastream
@@ -31,7 +31,7 @@
 - name: Remove any previous configuration of user used to run chronyd process
 replace:
 path: /etc/sysconfig/chronyd
- regexp: \s*-u\s+\w+\s*
+ regexp: \s*-u\s*\w+\s*
 replace: ' '
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -45,43 +45,3 @@
 - low_disruption
 - medium_severity
 - no_reboot_needed
-
-- name: Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user
- lineinfile:
- path: /etc/sysconfig/chronyd
- regexp: ^([\s]*OPTIONS=["]?[^"]*)("?)
- line: \1 -u chrony\2
- state: present
- backrefs: true
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"chrony" in ansible_facts.packages'
- - chronyd_file is defined and chronyd_file.matched > 0
- tags:
- - CCE-82879-8
- - chronyd_run_as_chrony_user
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony
- user
- lineinfile:
- path: /etc/sysconfig/chronyd
- line: OPTIONS="-u chrony"
- state: present
- create: true
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"chrony" in ansible_facts.packages'
- - chronyd_file is defined and chronyd_file.matched == 0
- tags:
- - CCE-82879-8
- - chronyd_run_as_chrony_user
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed

[codeclimate]

Code Climate has analyzed commit cf086ed and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

[openshift-ci]

@matejak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-moderate	cf086ed	link	true	/test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-high	cf086ed	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[Mab879]

If you think that this should apply to OL as well, please open a new PR.

[Mab879]

Suggested change

	# platform = multi_platform_rhel,multi_platform_fedora
	# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol