search

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
250 stars 157 forks source link

Task "2.1.2 Ensure chrony is configured | modify /etc/sysconfig/chronyd" adds parameter on every execution #381

Open fgierlinger opened 3 weeks ago

fgierlinger commented 3 weeks ago

Describe the Issue The regex in the task "2.1.2 Ensure chrony is configured | modify /etc/sysconfig/chronyd" is supposed to add the parameter "-u chrony" and keep all other parameters. But the task is not idempotent. The "-u chrony" parameter is added for every execution.

https://github.com/ansible-lockdown/RHEL8-CIS/blob/7509256bf2ced8db3edf5f9b353a8b183068c527/tasks/section_2/cis_2.1.x.yml#L36-L52

After 3 executions the file /etc/sysconfig/chronyd has the following content:

OPTIONS="-u chrony -u chrony -u chrony"

Expected Behavior The task should be idempotent and only add "-u chrony" if not already specified.

Actual Behavior The task reports a change on every execution and adds "-u chrony" at every execution.

Control(s) Affected Task 2.1.2 v8 8.4 Standardize Time Synchonization v7 6.1 Utilize Three Synchronized Time Sources

Environment (please complete the following information):

Additional Notes

Possible Solution

uk-bolly commented 1 week ago

hi @fgierlinger

Thank you for this issue, i can see you are referring to the older benchmark version 2.0.0. CIS v3.0 was released a while ago. I have therefore added these fixes to a new locked branch called benchamrk_v2.0.0.

I hope this helps.

Many thanks

uk-bolly