Disable network management of chrony daemon.

ComplianceAsCode · Jun 25, 2019 · ed89b59 · ed89b59
1 parent e7d0302
commit ed89b59
Show file tree

Hide file tree

Showing 10 changed files with 98 additions and 1 deletion.
diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
@@ -215,3 +215,4 @@ selections:
     - configure_kerberos_crypto_policy
     - configure_bind_crypto_policy
     - configure_crypto_policy
+    - chronyd_no_chronyc_network
diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Include source function library
+. /usr/share/scap-security-guide/remediation_functions
+
+replace_or_append /etc/chrony.conf '^cmdport' 0 '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml
@@ -0,0 +1,35 @@
+<def-group oval_version="5.11">
+  <definition class="compliance" id="chronyd_no_chronyc_network" version="1">
+    <metadata>
+      <title>Disable network management of chrony daemon</title>
+      <affected family="unix">
+        <platform>multi_platform_rhel</platform>
+        <platform>multi_platform_fedora</platform>
+        <platform>multi_platform_ol</platform>
+      </affected>
+      <description>Configure the cmdport setting in /etc/chrony.conf to disable
+      chronyc management connections over network.</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition definition_ref="service_chronyd_enabled" comment="service chronyd enabled" />
+      <criterion test_ref="test_chronyd_no_chronyc_network" comment="check if cmdport is 0 in /etc/chrony.conf" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_chronyd_no_chronyc_network"
+    comment="check if cmdport is 0 in /etc/chrony.conf"
+    check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="obj_chronyd_cmdport_value" />
+    <ind:state state_ref="state_chronyd_cmdport_value_0" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_chronyd_cmdport_value" version="1">
+    <ind:filepath>/etc/chrony.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*cmdport[\s]+(\S+)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_chronyd_cmdport_value_0" version="1">
+    <ind:subexpression>0</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: rhel8,fedora,ol8
+
+title: 'Disable network management of chrony daemon'
+
+description: |-
+    The <tt>cmdport</tt> option in <tt>/etc/chrony.conf</tt> can be set to
+    <tt>0</tt> to stop chrony daemon from listening on the UDP port 323
+    for management connections made by chronyc.
+
+rationale: |-
+    Not exposing the management interface of the chrony daemon on
+    the network diminishes the attack space.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82840-0
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'it does not exist or port is set to non-zero value'
+
+ocil: |-
+    To verify that <tt>cmdport</tt> has been set properly, perform the following:
+    <pre>$ grep '\bcmdport\b' /etc/chrony.conf</pre>
+    The output should return
+    <pre>port 0</pre>
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
@@ -209,3 +209,4 @@ selections:
     - configure_libreswan_crypto_policy
     - configure_ssh_crypto_policy
     - configure_kerberos_crypto_policy
+    - chronyd_no_chronyc_network
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
@@ -183,6 +183,9 @@ selections:
     #######################################################
     ## FMT_SMF_EXT.1 Specification of Management Functions
 
+    ### disable network management of chrony daemon
+    - chronyd_no_chronyc_network
+
     ### FMT_SMF_EXT.1.1: https://www.niap-ccevs.org/MMO/PP/-424-/#FMT_SMF_EXT.1.1
     ### The OS shall be capable of performing the following
     ### management functions:

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -983,7 +983,6 @@ CCE-82836-8
 CCE-82837-6
 CCE-82838-4
 CCE-82839-2
-CCE-82840-0
 CCE-82841-8
 CCE-82842-6
 CCE-82843-4

diff --git a/tests/data/group_services/group_ntp/rule_chronyd_no_chronyc_network/chrony.pass.sh b/tests/data/group_services/group_ntp/rule_chronyd_no_chronyc_network/chrony.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum install -y chrony
+systemctl enable chronyd.service
+
+echo "cmdport 0" >> /etc/chrony.conf
diff --git a/tests/data/group_services/group_ntp/rule_chronyd_no_chronyc_network/missing.fail.sh b/tests/data/group_services/group_ntp/rule_chronyd_no_chronyc_network/missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum install -y chrony
+systemctl enable chronyd.service
diff --git a/tests/data/group_services/group_ntp/rule_chronyd_no_chronyc_network/nonzero.fail.sh b/tests/data/group_services/group_ntp/rule_chronyd_no_chronyc_network/nonzero.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum install -y chrony
+systemctl enable chronyd.service
+
+echo "cmdport 324" >> /etc/chrony.conf