chronyd_or_ntpd_set_maxpoll is not remediated by Ansible

[vojtapolasek]

Description of problem:

When remediating the stig profile with Ansible, the rule chronyd_or_ntpd_set_maxpoll does not get remediated.

The relevant part of the Ansible playbook execution is attached.
ansible.log

SCAP Security Guide Version:

stabilization-v0.1.73 branch, commit 0b096bc

Operating System Version:

RHEL 8 and 9

Steps to Reproduce:

1.remediate stig profile with its Ansible playbook
2. perform oscap scan for this profile

Actual Results:

The rule is reported as failed.

Expected Results:

The rule is reported as passing.

Additional Information/Debugging Steps:

I have a hunch that it might be caused by rule ordering? That the server directive with maxpoll is overridden by another rule which configures hardcoded NTP server for STIG.

This error shows up often but not always.

[jan-cerny]

What I find really disturbing is that the Ansible Tasks in the attached attachment manipulate with many unrelated files such as /etc/sestatus.conf or /etc/krb5.conf.

This is caused by the tasks that work with chrony_conf_path variable. They get the name of the parent directory and look for all .conf files there. This probably works nicely for Ubuntu products, where chrony_conf_path is set to /etc/chrony/chrony.conf, but creates harm in all other products where chrony_conf_path is set to /etc/chrony.conf, so the dirname is /etc and the search matches all *.conf files in /etc.

[jan-cerny]

Most likely caused by chronyd_specify_remote_server remediation which runs later than remediation for this rule and inserts a new entry without the maxpoll.