New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax chrony check and remediations #9156
Conversation
I have verified that the '-u chrony' in OPTIONS is not needed on RHEL7-9, nor on Fedora. The chrony user is the one that is used to run the service. As a result, I have updated the check, remediations and description. The behavior stays the same for the other systems.
... on systems with a compliant default setting.
Specifying '-u chrony' is not the only way - '-uchrony' is equally valid. I have verified this functionally.
This datastream diff is auto generated by the check Click here to see the full diffOVAL definition oval:ssg-chronyd_run_as_chrony_user:def:1 differs:
--- old datastream
+++ new datastream
- criteria OR
- criterion oval:ssg-test_chronyd_run_as_chrony_user:tst:1
- criterion oval:ssg-test_chronyd_run_as_chrony_user_config_file_exists:tst:1
+ criterion oval:ssg-test_no_user_override:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,4 @@
-Run the following command and verify that -u chrony is included in OPTIONS:
-# grep "^OPTIONS" /etc/sysconfig/chronyd
-OPTIONS="-u chrony"
+# grep "^OPTIONS.*-u" /etc/sysconfig/chronyd | grep -v -e '-u\s*chrony\b'
+returns no output
Is it the case that chronyd is not running under chrony user account?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' differs:
--- old datastream
+++ new datastream
@@ -4,7 +4,13 @@
if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
# trying to solve cases where the parameter after OPTIONS
#may or may not be enclosed in quotes
- sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
+ sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1\2/' /etc/sysconfig/chronyd
+fi
+
+if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
+ # trying to solve cases where the parameter after OPTIONS
+ #may or may not be enclosed in quotes
+ sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
else
echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' differs:
--- old datastream
+++ new datastream
@@ -31,7 +31,7 @@
- name: Remove any previous configuration of user used to run chronyd process
replace:
path: /etc/sysconfig/chronyd
- regexp: \s*-u\s+\w+\s*
+ regexp: \s*-u\s*\w+\s*
replace: ' '
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -45,43 +45,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user
- lineinfile:
- path: /etc/sysconfig/chronyd
- regexp: ^([\s]*OPTIONS=["]?[^"]*)("?)
- line: \1 -u chrony\2
- state: present
- backrefs: true
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"chrony" in ansible_facts.packages'
- - chronyd_file is defined and chronyd_file.matched > 0
- tags:
- - CCE-82879-8
- - chronyd_run_as_chrony_user
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony
- user
- lineinfile:
- path: /etc/sysconfig/chronyd
- line: OPTIONS="-u chrony"
- state: present
- create: true
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"chrony" in ansible_facts.packages'
- - chronyd_file is defined and chronyd_file.matched == 0
- tags:
- - CCE-82879-8
- - chronyd_run_as_chrony_user
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed |
Code Climate has analyzed commit cf086ed and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@matejak: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you think that this should apply to OL as well, please open a new PR.
@@ -1,4 +1,5 @@ | |||
#!/bin/bash | |||
# platform = multi_platform_rhel,multi_platform_fedora |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# platform = multi_platform_rhel,multi_platform_fedora | |
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol |
Description:
I have verified that the '-u chrony' in OPTIONS is not needed on RHEL7-9, nor on Fedora.
The chrony user is the one that is used to run the service.
As a result, I have updated the check, remediations and description.
I have also updated existing check + remediation content wrt POSIX CLI standards.
Rationale:
Having correct configuration labelled as incompliant just adds noise.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2077531