[Bug 1943188] [NEW] Ensure chrony is configured (Automated)

[Scott E. MacKenzie]

Public bug reported:

Source: CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0.pdf
Link: https://workbench.cisecurity.org/files/3228 (download PDF)

cis-audit level2_server fails on rule_CIS-2.2.1.3 but passes all manual
checks.

===================
Title Ensure chrony is configured
Rule xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3
Result fail

===================
2.1.1.3 Ensure chrony is configured (Automated)
(xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3)

Please note that with CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0 by CIS
the numbering is no longer aligned to the xccdf file with
xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3

===================
Procedure:
Verify that only one time synchronization method is in use on the system: Run 
the following command to verify that ntp is not installed.

# dpkg -s ntp | grep -E '(Status:|not installed)'

Expected result:
dpkg-query: package 'ntp' is not installed and no information is available

Actual result:
dpkg-query: package 'ntp' is not installed and no information is available

===================
NEXT
Run the following command to verify that systemd-timsyncd is masked:

# systemctl is-enabled systemd-timesyncd

Expected result:
masked

Actual result:
masked

===================
NEXT
Verify that chrony is configured: Run the following command and verify remote 
server is configured properly:

# grep -E "^(server|pool)" /etc/chrony/chrony.conf

Expected result:
server <remote-server>

Actual result:
server 0.pool.ntp.org minpoll 8
server 1.pool.ntp.org minpoll 8
server 2.pool.ntp.org minpoll 8
server 3.pool.ntp.org minpoll 8

===================
NEXT
Run the following command and verify the first field for the chronyd process is 
_chrony:

# ps -ef | grep chronyd

Expected result:
_chrony 491 1 0 20:32 ? 00:00:00 /usr/sbin/chronyd

Actual result:
_chrony     1092       1  0 17:35 ?        00:00:00 /usr/sbin/chronyd -F -1
_chrony     1099    1092  0 17:35 ?        00:00:00 /usr/sbin/chronyd -F -1

===================
===================
No errors or events within the logs.

===================
OS Version (lsb_release)

Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

US Version
27.2.2~20.04.1

ua status
SERVICE ENTITLED STATUS DESCRIPTION
cis yes enabled Center for Internet Security Audit Tools
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security 
updates
livepatch yes enabled Canonical Livepatch service

===================

Expected result is that it should pass but process fails.

** Affects: ubuntu-advantage-tools (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: cis-audit

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943188

Title:
  Ensure chrony is configured (Automated)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1943188/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs