usg remediation for chrony rule 2.3.3.2: Missing trailing new line
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Guide |
Fix Released
|
Undecided
|
Miha Purg |
Bug Description
- Version: Ubuntu 22.04.4 LTS Jammy + usg 22.04.6
- Context: Applying cis_level1 hardening on units with ntp-charm subordinate
- Problem: NTP unit blocked after reboot `chrony: Not running`
- Debugging: `Fatal error : Too many arguments for include directive at line 45 in file /etc/chrony/
Indeed the line in `/etc/chrony/
```
include /etc/chrony/
```
Whereas the same line look like this on a non-hardened unit:
```
include /etc/chrony/
```
We suspect the CIS rule `2.3.3.2 Ensure chrony is running as user _chrony (Automated)` remediation script is defective. CIS documentation mentioned the following for this rule:
```
Remediation:
Add or edit the user line to /etc/chrony/
/etc/chrony/
user _chrony
```
Configuration should ideally look like this:
```
include /etc/chrony/
user _chrony
```
If we manually fix it, NTP charm becomes active/idle.
We suspect we are missing a trailing new line upon appending `user _chrony` to the `/etc/chrony/
Changed in usg: | |
status: | In Progress → Fix Committed |
Changed in usg: | |
status: | Fix Committed → Fix Released |
Hi, thanks for reporting the issue!
We can't guarantee that the remediation scripts will behave as intended
on a customized system, since it's not possible to account for all the
unknown use cases. The remediations should only be run on a clean installation
of Ubuntu, where they were properly tested.
Looking at the issue you're observing, I suspect that the /git.launchpad. net/ntp- charm/tree/ templates/ chrony. conf), /pubs.opengroup .org/onlinepubs /009695399/ basedefs/ xbd_chap03. html#tag_ 03_392).
ntp-charm replaces the default chrony config with a templated version
(https:/
which gets stripped of the trailing newline during templating, causing
the remediation to fail, since the script assumes the config file to end with a newline,
as it should (https:/
I would suggest bringing this up with ntp-charm developers.