Merge pull request #14649 from vickeybrown/CMP-3618-chrony-wait-fix

CMP-3618 added chrony-wait fix

Author: Mab879

components/chrony.yml

@@ -14,6 +14,7 @@ rules:
 - service_chronyd_enabled
 - chrony_set_nts
 - chronyd_client_only
+- chronyd_configure_local_socket
 - chronyd_no_chronyc_network
 - chronyd_or_ntpd_specify_multiple_servers
 - chronyd_sync_clock

components/ntp.yml

@@ -5,6 +5,7 @@ packages:
 - ntp
 rules:
 - chronyd_client_only
+- chronyd_configure_local_socket
 - chronyd_configure_pool_and_server
 - chronyd_no_chronyc_network
 - chronyd_or_ntpd_set_maxpoll

controls/cusp_fedora.yml

@@ -271,6 +271,7 @@ controls:
           # chrony
           - chronyd_client_only
           - chronyd_no_chronyc_network
+          - chronyd_configure_local_socket
           - chronyd_or_ntpd_set_maxpoll
           - chronyd_run_as_chrony_user
           - chronyd_specify_remote_server

controls/nist_rhcos4.yml

@@ -5222,6 +5222,7 @@ controls:
           https://issues.redhat.com/browse/CMP-274
       rules:
           - chronyd_no_chronyc_network
+          - chronyd_configure_local_socket
       description: |-
           The organization:
            (a)   Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

controls/stig_ol9.yml

@@ -1416,6 +1416,7 @@ controls:
       title: OL 9 must disable network management of the chrony daemon.
       rules:
           - chronyd_no_chronyc_network
+          - chronyd_configure_local_socket
       status: automated
 
     - id: OL09-00-006003

linux_os/guide/services/ntp/chronyd_configure_local_socket/ansible/rhel8.yml

@@ -0,0 +1,46 @@
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Fix chrony-wait.service to use Unix socket instead of network socket
+# RHEL 8 version without additional hardening (KCS 7064388)
+- name: "{{{ rule_title }}} - Check if chrony-wait.service exists"
+  ansible.builtin.stat:
+    path: /usr/lib/systemd/system/chrony-wait.service
+  register: chrony_wait_service
+
+- name: "{{{ rule_title }}} - Replace chrony-wait.service to use Unix socket (KCS 7064388)"
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/chrony-wait.service
+    content: |
+      [Unit]
+      Description=Wait for chrony to synchronize system clock(KCS 7064388)
+      Documentation=man:chronyc(1)
+      After=chronyd.service
+      Requires=chronyd.service
+      Before=time-sync.target
+      Wants=time-sync.target
+
+      [Service]
+      Type=oneshot
+      # Wait for chronyd to update the clock and the remaining
+      # correction to be less than 0.1 seconds
+      ExecStart=/usr/bin/chronyc waitsync 0 0.1 0.0 1
+      # Wait for at most 3 minutes
+      TimeoutStartSec=180
+      RemainAfterExit=yes
+      StandardOutput=null
+
+      [Install]
+      WantedBy=multi-user.target
+    mode: '0644'
+  when: chrony_wait_service.stat.exists
+
+- name: "{{{ rule_title }}} - Reload systemd daemon and enable chrony-wait.service"
+  ansible.builtin.systemd:
+    name: chrony-wait.service
+    daemon_reload: yes
+    enabled: yes
+  when: chrony_wait_service.stat.exists

linux_os/guide/services/ntp/chronyd_configure_local_socket/ansible/rhel9.yml

@@ -0,0 +1,76 @@
+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_almalinux,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Fix chrony-wait.service to use Unix socket instead of network socket
+# RHEL 9+ version with hardening directives (KCS 7064388)
+- name: "{{{ rule_title }}} - Check if chrony-wait.service exists"
+  ansible.builtin.stat:
+    path: /usr/lib/systemd/system/chrony-wait.service
+  register: chrony_wait_service
+
+- name: "{{{ rule_title }}} - Replace chrony-wait.service to use Unix socket (KCS 7064388)"
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/chrony-wait.service
+    content: |
+      [Unit]
+      Description=Wait for chrony to synchronize system clock(KCS 7064388)
+      Documentation=man:chronyc(1)
+      After=chronyd.service
+      Requires=chronyd.service
+      Before=time-sync.target
+      Wants=time-sync.target
+
+      [Service]
+      Type=oneshot
+      # Wait for chronyd to update the clock and the remaining
+      # correction to be less than 0.1 seconds
+      ExecStart=/usr/bin/chronyc waitsync 0 0.1 0.0 1
+      # Wait for at most 3 minutes
+      TimeoutStartSec=180
+      RemainAfterExit=yes
+      StandardOutput=null
+
+      CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+      CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+      CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+      CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+      CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+      DevicePolicy=closed
+      #DynamicUser=yes
+      IPAddressAllow=localhost
+      IPAddressDeny=any
+      LockPersonality=yes
+      MemoryDenyWriteExecute=yes
+      PrivateDevices=yes
+      ProcSubset=pid
+      ProtectClock=yes
+      ProtectControlGroups=yes
+      ProtectHome=yes
+      ProtectHostname=yes
+      ProtectKernelLogs=yes
+      ProtectKernelModules=yes
+      ProtectKernelTunables=yes
+      ProtectProc=invisible
+      ProtectSystem=strict
+      RestrictAddressFamilies=AF_UNIX
+      RestrictNamespaces=yes
+      RestrictRealtime=yes
+      SystemCallArchitectures=native
+      SystemCallFilter=@system-service
+      SystemCallFilter=~@privileged @resources
+      UMask=0777
+
+      [Install]
+      WantedBy=multi-user.target
+    mode: '0644'
+  when: chrony_wait_service.stat.exists
+
+- name: "{{{ rule_title }}} - Reload systemd daemon and enable chrony-wait.service"
+  ansible.builtin.systemd:
+    name: chrony-wait.service
+    daemon_reload: yes
+    enabled: yes
+  when: chrony_wait_service.stat.exists

linux_os/guide/services/ntp/chronyd_configure_local_socket/bash/rhel8.sh

@@ -0,0 +1,31 @@
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
+
+# Fix chrony-wait.service to use Unix socket instead of network socket
+# The default service uses -h 127.0.0.1,::1 which fails when cmdport is 0
+# RHEL 8 version without additional hardening (KCS 7064388)
+if systemctl list-unit-files chrony-wait.service >/dev/null 2>&1; then
+    cat > /etc/systemd/system/chrony-wait.service << 'EOF'
+[Unit]
+Description=Wait for chrony to synchronize system clock(KCS 7064388)
+Documentation=man:chronyc(1)
+After=chronyd.service
+Requires=chronyd.service
+Before=time-sync.target
+Wants=time-sync.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc waitsync 0 0.1 0.0 1
+# Wait for at most 3 minutes
+TimeoutStartSec=180
+RemainAfterExit=yes
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    systemctl daemon-reload
+    systemctl enable chrony-wait.service
+fi

linux_os/guide/services/ntp/chronyd_configure_local_socket/bash/rhel9.sh

@@ -0,0 +1,61 @@
+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_almalinux,multi_platform_fedora
+
+# Fix chrony-wait.service to use Unix socket instead of network socket
+# The default service uses -h 127.0.0.1,::1 which fails when cmdport is 0
+# RHEL 9+ version with hardening directives (KCS 7064388)
+if systemctl list-unit-files chrony-wait.service >/dev/null 2>&1; then
+    cat > /etc/systemd/system/chrony-wait.service << 'EOF'
+[Unit]
+Description=Wait for chrony to synchronize system clock(KCS 7064388)
+Documentation=man:chronyc(1)
+After=chronyd.service
+Requires=chronyd.service
+Before=time-sync.target
+Wants=time-sync.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc waitsync 0 0.1 0.0 1
+# Wait for at most 3 minutes
+TimeoutStartSec=180
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DevicePolicy=closed
+#DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    systemctl daemon-reload
+    systemctl enable chrony-wait.service
+fi

linux_os/guide/services/ntp/chronyd_configure_local_socket/kubernetes/shared.yml

@@ -0,0 +1,19 @@
+---
+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%5BUnit%5D%0ADescription%3DWait%20for%20chrony%20to%20synchronize%20system%20clock%20%28KCS%207064388%29%0ADocumentation%3Dman%3Achronyc%281%29%0AAfter%3Dchronyd.service%0ARequires%3Dchronyd.service%0ABefore%3Dtime-sync.target%0AWants%3Dtime-sync.target%0A%0A%5BService%5D%0AType%3Doneshot%0AExecStart%3D%2Fusr%2Fbin%2Fchronyc%20waitsync%200%200.1%200.0%201%0ATimeoutStartSec%3D180%0ARemainAfterExit%3Dyes%0AStandardOutput%3Dnull%0A%0ACapabilityBoundingSet%3D~CAP_AUDIT_CONTROL%20CAP_AUDIT_READ%20CAP_AUDIT_WRITE%0ACapabilityBoundingSet%3D~CAP_BLOCK_SUSPEND%20CAP_KILL%20CAP_LEASE%20CAP_LINUX_IMMUTABLE%0ACapabilityBoundingSet%3D~CAP_MAC_ADMIN%20CAP_MAC_OVERRIDE%20CAP_MKNOD%20CAP_SYS_ADMIN%0ACapabilityBoundingSet%3D~CAP_SYS_BOOT%20CAP_SYS_CHROOT%20CAP_SYS_MODULE%20CAP_SYS_PACCT%0ACapabilityBoundingSet%3D~CAP_SYS_PTRACE%20CAP_SYS_RAWIO%20CAP_SYS_TTY_CONFIG%20CAP_WAKE_ALARM%0ADevicePolicy%3Dclosed%0AIPAddressAllow%3Dlocalhost%0AIPAddressDeny%3Dany%0ALockPersonality%3Dyes%0AMemoryDenyWriteExecute%3Dyes%0APrivateDevices%3Dyes%0AProcSubset%3Dpid%0AProtectClock%3Dyes%0AProtectControlGroups%3Dyes%0AProtectHome%3Dyes%0AProtectHostname%3Dyes%0AProtectKernelLogs%3Dyes%0AProtectKernelModules%3Dyes%0AProtectKernelTunables%3Dyes%0AProtectProc%3Dinvisible%0AProtectSystem%3Dstrict%0ARestrictAddressFamilies%3DAF_UNIX%0ARestrictNamespaces%3Dyes%0ARestrictRealtime%3Dyes%0ASystemCallArchitectures%3Dnative%0ASystemCallFilter%3D%40system-service%0ASystemCallFilter%3D~%40privileged%20%40resources%0AUMask%3D0777%0A%0A%5BInstall%5D%0AWantedBy%3Dmulti-user.target%0A
+        mode: 420
+        overwrite: true
+        path: /etc/systemd/system/chrony-wait.service