Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable network management of chrony daemon. #4449

Merged
merged 1 commit into from
Jun 25, 2019
Merged

Disable network management of chrony daemon. #4449

merged 1 commit into from
Jun 25, 2019

Conversation

adelton
Copy link
Collaborator

@adelton adelton commented Jun 25, 2019

Description:

  • Disable network management of chrony daemon.

Rationale:

  • Not exposing the management interface of the chrony daemon on the network diminishes the attack space.

@adelton adelton mentioned this pull request Jun 25, 2019
Merged
jan-cerny
jan-cerny reviewed Jun 25, 2019
View reviewed changes
linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh Outdated
@@ -0,0 +1,6 @@
# platform = multi_platform_rhel
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the remediation script can be also applicable to Fedora.

Copy link
Collaborator Author

@adelton adelton Jun 25, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added Fedora and OL in ed89b59. Also rebased in master.

@adelton adelton force-pushed the chronyd_no_chronyc_network branch from 43a7c27 to ed89b59 Compare June 25, 2019 13:52
@jan-cerny jan-cerny self-assigned this Jun 25, 2019
@jan-cerny jan-cerny added this to the 0.1.45 milestone Jun 25, 2019
@jan-cerny
Copy link
Collaborator

Thanks!

The output of the test run:

[jcerny@thinkpad tests{chronyd_no_chronyc_network}]$ ./test_suite.py rule --libvirt qemu:///system ssgts_rhel8 --datastream ../build/ssg-rhel8-ds.xml chronyd_no_chronyc_network                                 
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/scap-security-guide/tests/logs/rule-custom-2019-06-25-1604/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
INFO - Script missing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script chrony.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script nonzero.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK

@jan-cerny jan-cerny merged commit dc61a1c into ComplianceAsCode:master Jun 25, 2019
shawndwells
shawndwells reviewed Jun 25, 2019
View reviewed changes
linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
Not exposing the management interface of the chrony daemon on
the network diminishes the attack space.

severity: unknown
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What severity should this rule be assigned?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stevegrubb, what severity is this?

linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
severity: unknown

identifiers:
cce@rhel8: 82840-0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be RHEL 7 or RHEL 6 CCEs?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly. I'm working based on the RHEL 8 kickstart by @stevegrubb, so not really focusing on older versions.
@yuumasato, do we want to add these things to older versions as well as part of the RHEL 8 review / work?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adelton If it is cheap, yes, we can add them, but I don't consider it essential for the PR.
What I consider important is the content itself, the rule, check and fix.

I'd like to avoid expanding the scope too much, and having to check configuration settings for three distributions.

linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
@@ -0,0 +1,30 @@
documentation_complete: true

prodtype: rhel8,fedora,ol8
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this truly only applicable to RHEL 8?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yuumasato, similar question to the above.

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shawndwells shawndwells shawndwells left review comments

@yuumasato yuumasato yuumasato left review comments

@jan-cerny jan-cerny jan-cerny left review comments

Assignees

@jan-cerny jan-cerny

Labels
None yet
Projects
None yet
Milestone
0.1.45
Development

Successfully merging this pull request may close these issues.
4 participants
@adelton @jan-cerny @shawndwells @yuumasato