Ubuntu Security Guide

usg remediation for chrony rule 2.3.3.2: Missing trailing new line

Bug #2061072 reported by Gaetan Gouzi on 2024-04-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Security Guide	Fix Committed	Undecided	Miha Purg

Bug Description

- Version: Ubuntu 22.04.4 LTS Jammy + usg 22.04.6
- Context: Applying cis_level1 hardening on units with ntp-charm subordinate
- Problem: NTP unit blocked after reboot `chrony: Not running`
- Debugging: `Fatal error : Too many arguments for include directive at line 45 in file /etc/chrony/chrony.conf`

Indeed the line in `/etc/chrony/chrony.conf` looks like
```
include /etc/chrony/conf.d/*.confuser _chrony`
```

Whereas the same line look like this on a non-hardened unit:
```
include /etc/chrony/conf.d/*.conf
```

We suspect the CIS rule `2.3.3.2 Ensure chrony is running as user _chrony (Automated)` remediation script is defective. CIS documentation mentioned the following for this rule:

```
Remediation:
Add or edit the user line to /etc/chrony/chrony.conf or a file ending in .conf in
/etc/chrony/conf.d/:
user _chrony
```

Configuration should ideally look like this:
```
include /etc/chrony/conf.d/*.conf
user _chrony
```

If we manually fix it, NTP charm becomes active/idle.
We suspect we are missing a trailing new line upon appending `user _chrony` to the `/etc/chrony/chrony.conf`.

Revision history for this message

Miha Purg (mihap) wrote on 2024-04-12 (last edit on 2024-04-14):

Hi, thanks for reporting the issue!

We can't guarantee that the remediation scripts will behave as intended
on a customized system, since it's not possible to account for all the
unknown use cases. The remediations should only be run on a clean installation
of Ubuntu, where they were properly tested.

Looking at the issue you're observing, I suspect that the
ntp-charm replaces the default chrony config with a templated version
(https://git.launchpad.net/ntp-charm/tree/templates/chrony.conf),
which gets stripped of the trailing newline during templating, causing
the remediation to fail, since the script assumes the config file to end with a newline,
as it should (https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_392).

I would suggest bringing this up with ntp-charm developers.

Changed in usg:
assignee:	nobody → Miha Purg (mihap)
status:	New → Invalid

Revision history for this message

Gaetan Gouzi (ggouzi) wrote on 2024-04-12:

Thank you for the additional information, will contact ntp-charm team

Revision history for this message

Miha Purg (mihap) wrote on 2024-04-15 (last edit on 2024-04-16):

I decided to add the fix to usg in the end, since it's an easy fix and it might reach you sooner via an usg update.

Changed in usg:
status:	Invalid → In Progress

Miha Purg (mihap) on 2024-04-16

Changed in usg:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.