rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c957b4e696e5ecf0a69844b2dd37d073e4d34868
  2.   SOURCES
  3.   scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch
Blob History Raw
dac76a 
From 894d50c90ad9fd9431c8198a082f4742b168c7c8 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 17 Mar 2020 09:31:32 +0100
dac76a 
Subject: [PATCH 1/8] add rule
dac76a
dac76a 
---
dac76a 
 .../ntp/chronyd_run_as_chrony_user/rule.yml   | 40 +++++++++++++++++++
dac76a 
 shared/references/cce-redhat-avail.txt        |  2 -
dac76a 
 2 files changed, 40 insertions(+), 2 deletions(-)
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
new file mode 100644
dac76a 
index 0000000000..00a9e1d046
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
@@ -0,0 +1,40 @@
dac76a 
+documentation_complete: true
dac76a 
+
dac76a 
+prodtype: rhel7,rhel8,fedora
dac76a 
+
dac76a 
+title: 'Ensure thatchronyd is running under chrony user account'
dac76a 
+
dac76a 
+description: |-
dac76a 
+    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
dac76a 
+    synchronize system clocks across a variety of systems and use a source that is highly
dac76a 
+    accurate. More information on chrony can be found at
dac76a 
+    {{{ weblink(link="http://chrony.tuxfamily.org/) }}}.
dac76a 
+    Chrony can be configured to be a client and/or a server.
dac76a 
+    To ensure that chronyd is running under chrony user account, Add or edit the
dac76a 
+    <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include ' -u chrony ':
dac76a 
+    
OPTIONS="-u chrony"
dac76a 
+    This recommendation only applies if chrony is in use on the system.
dac76a 
+
dac76a 
+rationale: |-
dac76a 
+    If chrony is in use on the system proper configuration is vital to ensuring time synchronization
dac76a 
+    is working properly.
dac76a 
+
dac76a 
+severity: medium
dac76a 
+
dac76a 
+platform: ntp
dac76a 
+
dac76a 
+references:
dac76a 
+    cis@rhel7: 2.2.1.2
dac76a 
+    cis@rhel8: 2.2.1.2
dac76a 
+
dac76a 
+identifiers:
dac76a 
+    cce@rhel7: 82878-0
dac76a 
+    cce@rhel8: 82879-8
dac76a 
+
dac76a 
+ocil_clause: 'chronyd is not running under chrony user account'
dac76a 
+
dac76a 
+ocil: |-
dac76a 
+    Run the following command and verify that <tt>-u chrony</tt> is included in <tt>OPTIONS</tt>:
dac76a 
+    
# grep "^OPTIONS" /etc/sysconfig/chronyd
dac76a 
+    OPTIONS="-u chrony"
dac76a 
+
dac76a 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
dac76a 
index a12a6355fc..53b8232431 100644
dac76a 
--- a/shared/references/cce-redhat-avail.txt
dac76a 
+++ b/shared/references/cce-redhat-avail.txt
dac76a 
@@ -3,8 +3,6 @@ CCE-82874-9
dac76a 
 CCE-82875-6
dac76a 
 CCE-82876-4
dac76a 
 CCE-82877-2
dac76a 
-CCE-82878-0
dac76a 
-CCE-82879-8
dac76a 
 CCE-82880-6
dac76a 
 CCE-82882-2
dac76a 
 CCE-82883-0
dac76a
dac76a 
From 8a6213bc0a5cfe5005b3d4c9c2e331bc361a9eec Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 17 Mar 2020 10:47:23 +0100
dac76a 
Subject: [PATCH 2/8] add chrony cpe to rhel7, rhel8, fedora
dac76a
dac76a 
---
dac76a 
 .../ntp/chronyd_run_as_chrony_user/rule.yml   |  6 +++---
dac76a 
 6 files changed, 39 insertions(+), 3 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
index 00a9e1d046..811ab8ac91 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
@@ -5,10 +5,10 @@ prodtype: rhel7,rhel8,fedora
dac76a 
 title: 'Ensure thatchronyd is running under chrony user account'
dac76a
dac76a 
 description: |-
dac76a 
-    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
dac76a 
+    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
dac76a 
     synchronize system clocks across a variety of systems and use a source that is highly
dac76a 
     accurate. More information on chrony can be found at
dac76a 
-    {{{ weblink(link="http://chrony.tuxfamily.org/) }}}.
dac76a 
+    {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
dac76a 
     Chrony can be configured to be a client and/or a server.
dac76a 
     To ensure that chronyd is running under chrony user account, Add or edit the
dac76a 
     <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include ' -u chrony ':
dac76a 
@@ -21,7 +21,7 @@ rationale: |-
dac76a
dac76a 
 severity: medium
dac76a
dac76a 
-platform: ntp
dac76a 
+platform: chrony
dac76a
dac76a 
 references:
dac76a 
     cis@rhel7: 2.2.1.2
dac76a 
From f32d587b8d6f916f0ed35000348de111a0ff3347 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 17 Mar 2020 10:47:56 +0100
dac76a 
Subject: [PATCH 3/8] add remediations
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 30 +++++++++++++++++++
dac76a 
 .../chronyd_run_as_chrony_user/bash/shared.sh |  9 ++++++
dac76a 
 2 files changed, 39 insertions(+)
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
new file mode 100644
dac76a 
index 0000000000..f9c29734c0
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
@@ -0,0 +1,30 @@
dac76a 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
dac76a 
+# reboot = false
dac76a 
+# strategy = configure
dac76a 
+# complexity = low
dac76a 
+# disruption = low
dac76a 
+
dac76a 
+- name: "detect if file is not empty or missing"
dac76a 
+  find:
dac76a 
+    path: /etc/sysconfig/
dac76a 
+    patterns: chronyd
dac76a 
+    contains: '^([\s]*OPTIONS=["]?[^"]*)("?)'
dac76a 
+  register: chronyd_file
dac76a 
+
dac76a 
+- name: "replace existing setting or create a new file, rest is handled by different task"
dac76a 
+  lineinfile:
dac76a 
+    path: /etc/sysconfig/chronyd
dac76a 
+    regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)'
dac76a 
+    line: '\1 -u chrony\2'
dac76a 
+    state: present
dac76a 
+    create: True
dac76a 
+    backrefs: True
dac76a 
+  when: chronyd_file.matched > 0
dac76a 
+
dac76a 
+- name: "put line into file, assume file was empty"
dac76a 
+  lineinfile:
dac76a 
+    path: /etc/sysconfig/chronyd
dac76a 
+    line: 'OPTIONS="-u chrony"'
dac76a 
+    state: present
dac76a 
+    create: True
dac76a 
+  when: chronyd_file.matched == 0
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..4210e28560
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
dac76a 
@@ -0,0 +1,9 @@
dac76a 
+# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Red Hat Enterprise Linux 8
dac76a 
+
dac76a 
+if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
dac76a 
+	# trying to solve cases where the parameter after OPTIONS
dac76a 
+	#may or may not be enclosed in quotes
dac76a 
+	sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
dac76a 
+else
dac76a 
+	echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
dac76a 
+fi
dac76a
dac76a 
From 93055dfbb432ca08fbe215ddc40235b3c815a604 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 17 Mar 2020 10:48:31 +0100
dac76a 
Subject: [PATCH 4/8] add oval check
dac76a
dac76a 
---
dac76a 
 .../services/ntp/chronyd_run_as_chrony_user/oval/shared.xml      | 1 +
dac76a 
 1 file changed, 1 insertion(+)
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
dac76a 
new file mode 100644
dac76a 
index 0000000000..fe2936bc92
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
dac76a 
@@ -0,0 +1 @@
dac76a 
+{{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u chrony.*["]?', missing_parameter_pass=false, missing_config_file_fail=true) }}}
dac76a
dac76a 
From 4e1c628a1aca02a578aa1e9401c7d4c48367bc5d Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 17 Mar 2020 10:48:45 +0100
dac76a 
Subject: [PATCH 5/8] add tests
dac76a
dac76a 
---
dac76a 
 .../ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh    | 5 +++++
dac76a 
 .../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh      | 6 ++++++
dac76a 
 .../chronyd_run_as_chrony_user/tests/empty_options.fail.sh  | 5 +++++
dac76a 
 .../chronyd_run_as_chrony_user/tests/file_missing.fail.sh   | 5 +++++
dac76a 
 .../ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh | 5 +++++
dac76a 
 5 files changed, 26 insertions(+)
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..44783378ce
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh
dac76a 
@@ -0,0 +1,5 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install chrony
dac76a 
+
dac76a 
+echo 'OPTIONS="-u chrony"' > /etc/sysconfig/chronyd
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..51f5b8663f
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
@@ -0,0 +1,6 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install ntp
dac76a 
+
dac76a 
+echo "" > /etc/sysconfig/ntpd
dac76a 
+echo "" > /usr/lib/systemd/system/ntpd.service
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..c38004ae8a
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh
dac76a 
@@ -0,0 +1,5 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install chrony
dac76a 
+
dac76a 
+echo 'OPTIONS=""' > /etc/sysconfig/chronyd
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..c5e5c97b85
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
dac76a 
@@ -0,0 +1,5 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install chrony
dac76a 
+
dac76a 
+rm -f /etc/sysconfig/ntpd
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..72ef399539
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh
dac76a 
@@ -0,0 +1,5 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install chrony
dac76a 
+
dac76a 
+echo 'OPTIONS="-u root:root"' > /etc/sysconfig/chronyd
dac76a
dac76a 
From 72e02f1d773b513cb2bcfac35cef2b17b036c7a6 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Wed, 18 Mar 2020 12:09:26 +0100
dac76a 
Subject: [PATCH 6/8] fix wording and ansible
dac76a
dac76a 
---
dac76a 
 .../ntp/chronyd_run_as_chrony_user/ansible/shared.yml    | 9 ++++-----
dac76a 
 .../services/ntp/chronyd_run_as_chrony_user/rule.yml     | 4 ++--
dac76a 
 2 files changed, 6 insertions(+), 7 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
index f9c29734c0..42acdff9f4 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
@@ -4,24 +4,23 @@
dac76a 
 # complexity = low
dac76a 
 # disruption = low
dac76a
dac76a 
-- name: "detect if file is not empty or missing"
dac76a 
+- name: "Detect if file /etc/sysconfig/chronyd is not empty or missing"
dac76a 
   find:
dac76a 
     path: /etc/sysconfig/
dac76a 
     patterns: chronyd
dac76a 
     contains: '^([\s]*OPTIONS=["]?[^"]*)("?)'
dac76a 
   register: chronyd_file
dac76a
dac76a 
-- name: "replace existing setting or create a new file, rest is handled by different task"
dac76a 
+- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user"
dac76a 
   lineinfile:
dac76a 
     path: /etc/sysconfig/chronyd
dac76a 
     regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)'
dac76a 
     line: '\1 -u chrony\2'
dac76a 
     state: present
dac76a 
-    create: True
dac76a 
     backrefs: True
dac76a 
-  when: chronyd_file.matched > 0
dac76a 
+  when: chronyd_file is defined and chronyd_file.matched > 0
dac76a
dac76a 
-- name: "put line into file, assume file was empty"
dac76a 
+- name: "Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony user"
dac76a 
   lineinfile:
dac76a 
     path: /etc/sysconfig/chronyd
dac76a 
     line: 'OPTIONS="-u chrony"'
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
index 811ab8ac91..cd641ce0cb 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
dac76a 
@@ -2,7 +2,7 @@ documentation_complete: true
dac76a
dac76a 
 prodtype: rhel7,rhel8,fedora
dac76a
dac76a 
-title: 'Ensure thatchronyd is running under chrony user account'
dac76a 
+title: 'Ensure that chronyd is running under chrony user account'
dac76a
dac76a 
 description: |-
dac76a 
     chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
dac76a 
@@ -11,7 +11,7 @@ description: |-
dac76a 
     {{{ weblink(link="http://chrony.tuxfamily.org/") }}}.
dac76a 
     Chrony can be configured to be a client and/or a server.
dac76a 
     To ensure that chronyd is running under chrony user account, Add or edit the
dac76a 
-    <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include ' -u chrony ':
dac76a 
+    <tt>OPTIONS</tt> variable in <tt>/etc/sysconfig/chronyd</tt> to include <tt>-u chrony</tt>:
dac76a 
     
OPTIONS="-u chrony"
dac76a 
     This recommendation only applies if chrony is in use on the system.
dac76a
dac76a
dac76a 
From 0885706c1d1e9f2b0dfd1150736549e0d1a036c1 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Wed, 18 Mar 2020 12:09:56 +0100
dac76a 
Subject: [PATCH 7/8] fix and add tests
dac76a
dac76a 
---
dac76a 
 .../tests/correct_multiple_options.pass.sh                   | 5 +++++
dac76a 
 .../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh       | 3 +--
dac76a 
 .../chronyd_run_as_chrony_user/tests/file_missing.fail.sh    | 2 +-
dac76a 
 .../chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh    | 5 +++++
dac76a 
 4 files changed, 12 insertions(+), 3 deletions(-)
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh
dac76a 
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..12f14a7e28
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh
dac76a 
@@ -0,0 +1,5 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install chrony
dac76a 
+
dac76a 
+echo 'OPTIONS="-g -u chrony"' > /etc/sysconfig/chronyd
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
index 51f5b8663f..85b4995681 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
@@ -2,5 +2,4 @@
dac76a
dac76a 
 yum -y install ntp
dac76a
dac76a 
-echo "" > /etc/sysconfig/ntpd
dac76a 
-echo "" > /usr/lib/systemd/system/ntpd.service
dac76a 
+echo "" > /etc/sysconfig/chronyd
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
dac76a 
index c5e5c97b85..96787432db 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh
dac76a 
@@ -2,4 +2,4 @@
dac76a
dac76a 
 yum -y install chrony
dac76a
dac76a 
-rm -f /etc/sysconfig/ntpd
dac76a 
+rm -f /etc/sysconfig/chronyd
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..4c3a51181a
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh
dac76a 
@@ -0,0 +1,5 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+yum -y install chrony
dac76a 
+
dac76a 
+echo 'OPTIONS="-g"' > /etc/sysconfig/chronyd
dac76a
dac76a 
From 1ffcfa459d95f335747e158adf1596323f72e518 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Wed, 18 Mar 2020 15:57:11 +0100
dac76a 
Subject: [PATCH 8/8] fix remediations to remove any previous user
dac76a 
 configuration
dac76a
dac76a 
fix test
dac76a 
---
dac76a 
 .../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 11 +++++++++--
dac76a 
 .../ntp/chronyd_run_as_chrony_user/bash/shared.sh     |  2 +-
dac76a 
 .../chronyd_run_as_chrony_user/tests/empty.fail.sh    |  2 +-
dac76a 
 3 files changed, 11 insertions(+), 4 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
index 42acdff9f4..e60dd11eb2 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
dac76a 
@@ -11,7 +11,14 @@
dac76a 
     contains: '^([\s]*OPTIONS=["]?[^"]*)("?)'
dac76a 
   register: chronyd_file
dac76a
dac76a 
-- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user"
dac76a 
+- name: "Remove any previous configuration of user used to run chronyd process"
dac76a 
+  replace:
dac76a 
+    path: /etc/sysconfig/chronyd
dac76a 
+    regexp: '\s*-u\s+\w+\s*'
dac76a 
+    replace: ' '
dac76a 
+  when: chronyd_file is defined and chronyd_file.matched > 0
dac76a 
+
dac76a 
+- name: "Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user"
dac76a 
   lineinfile:
dac76a 
     path: /etc/sysconfig/chronyd
dac76a 
     regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)'
dac76a 
@@ -26,4 +33,4 @@
dac76a 
     line: 'OPTIONS="-u chrony"'
dac76a 
     state: present
dac76a 
     create: True
dac76a 
-  when: chronyd_file.matched == 0
dac76a 
+  when: chronyd_file is defined and chronyd_file.matched == 0
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
dac76a 
index 4210e28560..83acc51db0 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh
dac76a 
@@ -3,7 +3,7 @@
dac76a 
 if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
dac76a 
 	# trying to solve cases where the parameter after OPTIONS
dac76a 
 	#may or may not be enclosed in quotes
dac76a 
-	sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
dac76a 
+	sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
dac76a 
 else
dac76a 
 	echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
dac76a 
 fi
dac76a 
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
index 85b4995681..4a4f21ced7 100644
dac76a 
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh
dac76a 
@@ -1,5 +1,5 @@
dac76a 
 #!/bin/bash
dac76a
dac76a 
-yum -y install ntp
dac76a 
+yum -y install chrony
dac76a
dac76a 
 echo "" > /etc/sysconfig/chronyd

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation