Classification: UNCLASSIFIED
Caveats: NONE
It would be nice if the prose/check allowed for cases where you have a
"multicastclient" line in ntp.conf and servers defined in step-tickers, for
large sites that don't want every client going directly to the NTP servers.
Though I wonder if there are very many sites fitting this description (or I
should just get over it and write a PoA&M for this one).
FWIW, this would fall under the case of "ntpd enabled but servers not defined
in ntp.conf". Ideally, I wish we could simply use ntpstat to answer one rule
("is NTP actually working?"), as you could easily have broken servers defined
and ntpd running but no time synchronization. That's not the way the rules are
currently spelled out, though, and I'm not sure if OVAL can do that.
--
Ray Shaw
Contractor, STG
Unix support, Army Research Labs
> -----Original Message-----
> From: [email protected] [mailto:scap-
> [email protected]] On Behalf Of Steinke,
> Leland J Sr CTR DISA FSO (US)
> Sent: Thursday, October 24, 2013 12:33 PM
> To: [email protected]
> Subject: STIG ID RHEL-06-000248 / SSG ID ntpd_specify_remote_server
>
> This Rule verifies that there is an NTP server configured in
> /etc/ntpd.conf. The supporting OVAL performs this check as well as
> verifying that ntpd is enabled, by extending RHEL-06-
> 000247/service_ntpd_enabled. Arguments could be made that these Rules
> should pass or fail independently or that, if ntpd (or ntpdate) is not
> enabled or used, it does not matter whether a server is configured in
> /etc/ntpd.conf.
>
> There is a patch below my signature block to remove the dependency
> entirely.
>
>
> Regards,
> --
> Leland Steinke, Security+
> DISA FSO Technical Support Contractor
> tapestry technologies, Inc
> 717-267-5797 (DSN 570)
> [email protected] (gov't)
> [email protected] (com'l)
>
> 8<====================
>
> Subject: [PATCH] remove dependency between ntpd service and
> /etc/ntpd.conf server configuration
>
> ---
> RHEL6/input/checks/ntp_remote_server.xml | 4 +---
> 1 files changed, 1 insertions(+), 3 deletions(-)
>
> diff --git a/RHEL6/input/checks/ntp_remote_server.xml
> b/RHEL6/input/checks/ntp_remote_server.xml
> index b630ae4..750d640 100644
> --- a/RHEL6/input/checks/ntp_remote_server.xml
> +++ b/RHEL6/input/checks/ntp_remote_server.xml
> @@ -9,9 +9,7 @@
> specified (and dependencies are met)</description>
> <reference source="MED" ref_id="20130819"
> ref_url="test_attestation" />
> </metadata>
> - <criteria comment="ntpd is enabled and conditions are met"
> operator="AND">
> - <extend_definition comment="ntpd is enabled"
> - definition_ref="service_ntpd_enabled" />
> + <criteria comment="ntp.conf conditions are met">
> <criterion test_ref="test_ntp_remote_server" />
> </criteria>
> </definition>
> --
> 1.7.1
Classification: UNCLASSIFIED
Caveats: NONE
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
