ntp service is checked even chrony is installed and configured

ovh / debian-cis

PCI-DSS compliant Debian 10/11/12 hardening

Other

716 stars 127 forks source link

ntp service is checked even chrony is installed and configured #192

Closed JugeHuge closed 1 year ago

JugeHuge commented 1 year ago

If chrony or systemd-timesyncd are used, ntp should be removed. Only one time synchronization method should be in use on the system.

ThibaultDewailly commented 1 year ago

Hello,

I'm not sure what you mean here, regarding audit if either one of the three packages is installed (chrony, systemd-timesyncd or ntp) then 2.2.1.1_use_time_sync.sh is ok. you can then enable the hardened configuration in 2.2.1.2_configure_systemd-timesyncd.sh 2.2.1.3_configure_chrony.sh or 2.2.1.4_configure_ntp.sh respectively.

You want to purge other package during the apply phase in the 2.2.1.1_use_time_sync.sh script ? If so, you can proceed and patch the apply function to suit your need.

JugeHuge commented 1 year ago

Hmm. Can't really remember what did i meant with this. :D Have to test it again. If i remember correctly i had chrony installed and configured but still it tried to check if ntp is configured and hence gave failure from it with audit option. I'll check it and get back to this.

JugeHuge commented 1 year ago

Yes. found logs. So Chrony is installed and its audit goes ok but ntp audit fails with unexpected exit code.

2.2.1.4_configure_ntp [INFO] Working on 2.2.1.4_configure_ntp 2.2.1.4_configure_ntp [INFO] [DESCRIPTION] Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user. 2.2.1.4_configure_ntp [INFO] Checking Configuration 2.2.1.4_configure_ntp [WARN] ntp is not installed, not handling configuration 2.2.1.4_configure_ntp [ KO ] Check failed with unexpected exit code: 2

ThibaultDewailly commented 1 year ago

OK got it.

TL;DR : if you have chrony installed, disable completely ntp package config.

So i works as expected. You have three supported software, choose one of them (e.g chrony), and disable the two other in their respective configuration.

The tests are independent and do not intend to check your whole system to make a tests pass or not. This repository is intended to be modular, so that the SRE chooses the relevant scripts for his machine.

I hope this makes sens to you, and I have answered your question correctly

JugeHuge commented 1 year ago

Well isn't that giving false audit result as you have Chrony installed and ntp package removed which then fails on check. Should audit check that there is atleast one time sync service installed and not check all three as individually which distort audit result?

ThibaultDewailly commented 1 year ago

If I understand you correctly, and if I sum up my thought :

https://github.com/ovh/debian-cis/blob/master/bin/hardening/2.2.1.1_use_time_sync.sh#L20 verifies "Should audit check that there is atleast one time sync service installed" "not check all three as individually which distort audit result" => pick only one of the three, the one you have chosen, and the audit is thorough and precise

JugeHuge commented 1 year ago

Ok so there was fix already coming. Have to test that. Have to be more precise next time when writing issue. 😄 Thanks.