NTP Charm

usg remediation for chrony rule 2.3.3.2: Missing trailing new line

Bug #2061117 reported by Gaetan Gouzi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
NTP Charm
New
Undecided
Unassigned

Bug Description

- Version: Ubuntu 22.04.4 LTS Jammy + usg 22.04.6
- NTP charm: 4.2 latest/stable rev 50
- Context: Applying cis_level1 hardening on units with ntp-charm subordinate
- Problem: NTP unit blocked after reboot `chrony: Not running`
- Debugging: `Fatal error : Too many arguments for include directive at line 45 in file /etc/chrony/chrony.conf`

Indeed the line in `/etc/chrony/chrony.conf` looks like
```
include /etc/chrony/conf.d/*.confuser _chrony`
```

Whereas the same line look like this on a non-hardened unit:
```
include /etc/chrony/conf.d/*.conf
```

We suspect the CIS rule `2.3.3.2 Ensure chrony is running as user _chrony (Automated)` remediation script is defective. CIS documentation mentioned the following for this rule:

```
Remediation:
Add or edit the user line to /etc/chrony/chrony.conf or a file ending in .conf in
/etc/chrony/conf.d/:
user _chrony
```

Configuration should ideally look like this:
```
include /etc/chrony/conf.d/*.conf
user _chrony
```

If we manually fix it, NTP charm becomes active/idle.
We suspect we are missing a trailing new line upon appending `user _chrony` to the `/etc/chrony/chrony.conf`.

The ntp-charm seems to replace the chrony configuration with a template: https://git.launchpad.net/ntp-charm/tree/templates/chrony.conf where the trailing new line gets stripped.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.