This Rule verifies that there is an NTP server configured in /etc/ntpd.conf. The supporting OVAL performs this check as well as verifying that ntpd is enabled, by extending RHEL-06-000247/service_ntpd_enabled. Arguments could be made that these Rules should pass or fail independently or that, if ntpd (or ntpdate) is not enabled or used, it does not matter whether a server is configured in /etc/ntpd.conf.
There is a patch below my signature block to remove the dependency entirely.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
8<====================
Subject: [PATCH] remove dependency between ntpd service and /etc/ntpd.conf server configuration
--- RHEL6/input/checks/ntp_remote_server.xml | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/checks/ntp_remote_server.xml b/RHEL6/input/checks/ntp_remote_server.xml index b630ae4..750d640 100644 --- a/RHEL6/input/checks/ntp_remote_server.xml +++ b/RHEL6/input/checks/ntp_remote_server.xml @@ -9,9 +9,7 @@ specified (and dependencies are met)</description> <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> - <criteria comment="ntpd is enabled and conditions are met" operator="AND"> - <extend_definition comment="ntpd is enabled" - definition_ref="service_ntpd_enabled" /> + <criteria comment="ntp.conf conditions are met"> <criterion test_ref="test_ntp_remote_server" /> </criteria> </definition>
Classification: UNCLASSIFIED Caveats: NONE
It would be nice if the prose/check allowed for cases where you have a "multicastclient" line in ntp.conf and servers defined in step-tickers, for large sites that don't want every client going directly to the NTP servers. Though I wonder if there are very many sites fitting this description (or I should just get over it and write a PoA&M for this one).
FWIW, this would fall under the case of "ntpd enabled but servers not defined in ntp.conf". Ideally, I wish we could simply use ntpstat to answer one rule ("is NTP actually working?"), as you could easily have broken servers defined and ntpd running but no time synchronization. That's not the way the rules are currently spelled out, though, and I'm not sure if OVAL can do that.
-- Ray Shaw Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J Sr CTR DISA FSO (US) Sent: Thursday, October 24, 2013 12:33 PM To: scap-security-guide@lists.fedorahosted.org Subject: STIG ID RHEL-06-000248 / SSG ID ntpd_specify_remote_server
This Rule verifies that there is an NTP server configured in /etc/ntpd.conf. The supporting OVAL performs this check as well as verifying that ntpd is enabled, by extending RHEL-06- 000247/service_ntpd_enabled. Arguments could be made that these Rules should pass or fail independently or that, if ntpd (or ntpdate) is not enabled or used, it does not matter whether a server is configured in /etc/ntpd.conf.
There is a patch below my signature block to remove the dependency entirely.
Regards,
Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
8<====================
Subject: [PATCH] remove dependency between ntpd service and /etc/ntpd.conf server configuration
RHEL6/input/checks/ntp_remote_server.xml | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/checks/ntp_remote_server.xml b/RHEL6/input/checks/ntp_remote_server.xml index b630ae4..750d640 100644 --- a/RHEL6/input/checks/ntp_remote_server.xml +++ b/RHEL6/input/checks/ntp_remote_server.xml @@ -9,9 +9,7 @@ specified (and dependencies are met)</description> <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata>
- <criteria comment="ntpd is enabled and conditions are met"
operator="AND">
<extend_definition comment="ntpd is enabled"definition_ref="service_ntpd_enabled" />
<criteria comment="ntp.conf conditions are met"> <criterion test_ref="test_ntp_remote_server" /> </criteria> </definition>
-- 1.7.1
Classification: UNCLASSIFIED Caveats: NONE
On 10/24/13, 1:44 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
It would be nice if the prose/check allowed for cases where you have a "multicastclient" line in ntp.conf and servers defined in step-tickers, for large sites that don't want every client going directly to the NTP servers. Though I wonder if there are very many sites fitting this description (or I should just get over it and write a PoA&M for this one).
FWIW, this would fall under the case of "ntpd enabled but servers not defined in ntp.conf". Ideally, I wish we could simply use ntpstat to answer one rule ("is NTP actually working?"), as you could easily have broken servers defined and ntpd running but no time synchronization. That's not the way the rules are currently spelled out, though, and I'm not sure if OVAL can do that.
I tried stracing ntpstat to figure out what it was doing. There doesn't seem to be a clear "grep this file for this regex" approach we could take...
OVAL could be updated to check if multicast & step-tickets are configured, and pass if so. Want to take a stab at it? :)
On 10/24/13, 12:33 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
This Rule verifies that there is an NTP server configured in /etc/ntpd.conf. The supporting OVAL performs this check as well as verifying that ntpd is enabled, by extending RHEL-06-000247/service_ntpd_enabled. Arguments could be made that these Rules should pass or fail independently or that, if ntpd (or ntpdate) is not enabled or used, it does not matter whether a server is configured in /etc/ntpd.conf.
There is a patch below my signature block to remove the dependency entirely.
Regards,
Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
8<====================
Subject: [PATCH] remove dependency between ntpd service and /etc/ntpd.conf server configuration
RHEL6/input/checks/ntp_remote_server.xml | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/checks/ntp_remote_server.xml b/RHEL6/input/checks/ntp_remote_server.xml index b630ae4..750d640 100644 --- a/RHEL6/input/checks/ntp_remote_server.xml +++ b/RHEL6/input/checks/ntp_remote_server.xml @@ -9,9 +9,7 @@ specified (and dependencies are met)</description> <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata>
- <criteria comment="ntpd is enabled and conditions are met"
operator="AND">
<extend_definition comment="ntpd is enabled"definition_ref="service_ntpd_enabled" />
<criteria comment="ntp.conf conditions are met"> <criterion test_ref="test_ntp_remote_server" /> </criteria> </definition>
-- 1.7.1
Thanks Leland! I was flip flopping on this until I read Ray's response... his use case of multicastclient is reasonable for these checks to be broken apart.
Ack
IIRC you have commit rights, but let us know if you need someone to push for you. Actually.... just sign up for commit rights already!
scap-security-guide@lists.fedorahosted.org
-
Shaw, Ray V CTR USARMY RDECOM ARL (US) -
Shawn Wells -
Steinke, Leland J Sr CTR DISA DD (US)