Re: STIG ID RHEL-06-000248 / SSG ID ntpd_specify_remote_server

Fri, 25 Oct 2013 21:14:00 -0700 

On 10/24/13, 12:33 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:

This Rule verifies that there is an NTP server configured in /etc/ntpd.conf.  
The supporting OVAL performs this check as well as verifying that ntpd is 
enabled, by extending RHEL-06-000247/service_ntpd_enabled.  Arguments could be 
made that these Rules should pass or fail independently or that, if ntpd (or 
ntpdate) is not enabled or used, it does not matter whether a server is 
configured in /etc/ntpd.conf.

There is a patch below my signature block to remove the dependency entirely.


Regards,
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, Inc
717-267-5797 (DSN 570)
[email protected]  (gov't)
[email protected]  (com'l)

8<====================

Subject: [PATCH] remove dependency between ntpd service and /etc/ntpd.conf 
server configuration

---
   RHEL6/input/checks/ntp_remote_server.xml |    4 +---
   1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/RHEL6/input/checks/ntp_remote_server.xml
b/RHEL6/input/checks/ntp_remote_server.xml
index b630ae4..750d640 100644
--- a/RHEL6/input/checks/ntp_remote_server.xml
+++ b/RHEL6/input/checks/ntp_remote_server.xml
@@ -9,9 +9,7 @@
         specified (and dependencies are met)</description>
         <reference source="MED" ref_id="20130819" ref_url="test_attestation" />
       </metadata>
-    <criteria comment="ntpd is enabled and conditions are met"
operator="AND">
-      <extend_definition comment="ntpd is enabled"
-      definition_ref="service_ntpd_enabled" />
+    <criteria comment="ntp.conf conditions are met">
         <criterion test_ref="test_ntp_remote_server" />
       </criteria>
     </definition>
-- 1.7.1
Thanks Leland! I was flip flopping on this until I read Ray's response... his use case of multicastclient is reasonable for these checks to be broken apart. 

Ack
IIRC you have commit rights, but let us know if you need someone to push for you. Actually.... just sign up for commit rights already! 
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to