Public bug reported:
Source: CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0.pdf
Link: https://workbench.cisecurity.org/files/3228 (download PDF)
cis-audit level2_server fails on rule_CIS-2.2.1.3 but passes all manual
checks.
===================
Title Ensure chrony is configured
Rule xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3
Result fail
===================
2.1.1.3 Ensure chrony is configured (Automated)
(xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3)
Please note that with CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0 by CIS
the numbering is no longer aligned to the xccdf file with
xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3
===================
Procedure:
Verify that only one time synchronization method is in use on the system: Run
the following command to verify that ntp is not installed.
# dpkg -s ntp | grep -E '(Status:|not installed)'
Expected result:
dpkg-query: package 'ntp' is not installed and no information is available
Actual result:
dpkg-query: package 'ntp' is not installed and no information is available
===================
NEXT
Run the following command to verify that systemd-timsyncd is masked:
# systemctl is-enabled systemd-timesyncd
Expected result:
masked
Actual result:
masked
===================
NEXT
Verify that chrony is configured: Run the following command and verify remote
server is configured properly:
# grep -E "^(server|pool)" /etc/chrony/chrony.conf
Expected result:
server <remote-server>
Actual result:
server 0.pool.ntp.org minpoll 8
server 1.pool.ntp.org minpoll 8
server 2.pool.ntp.org minpoll 8
server 3.pool.ntp.org minpoll 8
===================
NEXT
Run the following command and verify the first field for the chronyd process is
_chrony:
# ps -ef | grep chronyd
Expected result:
_chrony 491 1 0 20:32 ? 00:00:00 /usr/sbin/chronyd
Actual result:
_chrony 1092 1 0 17:35 ? 00:00:00 /usr/sbin/chronyd -F -1
_chrony 1099 1092 0 17:35 ? 00:00:00 /usr/sbin/chronyd -F -1
===================
===================
No errors or events within the logs.
===================
OS Version (lsb_release)
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
US Version
27.2.2~20.04.1
ua status
SERVICE ENTITLED STATUS DESCRIPTION
cis yes enabled Center for Internet Security Audit Tools
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security
updates
livepatch yes enabled Canonical Livepatch service
===================
Expected result is that it should pass but process fails.
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: New
** Tags: cis-audit
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943188
Title:
Ensure chrony is configured (Automated)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1943188/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
