chrony.conf moved content_rule_chronyd_specify_remote_server now broken

[Commandcracker]

Description of problem:

It seames like chrony.conf has moved from /etc/chrony.conf to /etc/chrony/chrony.conf.
This means xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server will consistently fail as it only checks in /etc/chrony.conf. Other rules might also be affected!

SCAP Security Guide Version:

master

ssg-debian12-ds.xml (enhanced)

Document type: Source Data Stream
Imported: 2023-12-31T02:37:13

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-debian12-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-debian12-xccdf.xml
                Status: draft
                Generated: 2023-12-23
                Resolved: true
                Profiles:
                        Title: ANSSI-BP-028 (enhanced)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
                        Title: ANSSI-BP-028 (high)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
                        Title: ANSSI-BP-028 (intermediary)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
                        Title: ANSSI-BP-028 (minimal)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
                        Title: Profile for ANSSI DAT-NT28 Average (Intermediate) Level
                                Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
                        Title: Profile for ANSSI DAT-NT28 High (Enforced) Level
                                Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
                        Title: Profile for ANSSI DAT-NT28 Minimal Level
                                Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
                        Title: Profile for ANSSI DAT-NT28 Restrictive Level
                                Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
                        Title: Standard System Security Profile for Debian 12
                                Id: xccdf_org.ssgproject.content_profile_standard
                Referenced check files:
                        ssg-debian12-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-debian12-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-debian12-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-debian12-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-debian12-cpe-oval.xml
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-debian12-cpe-dictionary.xml

Operating System Version:

Debain 12
Linux *** 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64 GNU/Linux

[Commandcracker]

The ansible playbook of content_rule_chronyd_specify_remote_server will set

0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org

as servers in `chrony.conf if none are defined, but shouldn't they be defined as a pool ?
Is there any reason for them to not have the iburst option by default ?

This will probably add unnecessary complexity:

For linux distros like debian,fedora, etc. there are pools from them
x.debian.pool.ntp.org,x.fedora.pool.ntp.org, etc. shouldn't they be used as default for thair distro ?
There are region specific pools, shouldn't they be set as default ?
There are more NTP servers than ntp.org ones like x.time.google.com,time.cloudflare.com, etc. why aren't they used as default ? ~ probably because ntp.org is decentralized.

[Commandcracker]

There should not be a difference between

0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org

and
pool.ntp.org
so why do not just use pool.ntp.org ?

[Mab879]

Thanks for reporting this issue.

At least for RHEL 9 it is still in /etc/chrony.conf so that complicates things.

It looks like other distros can use their distro's pool see linux_os/guide/services/ntp/var_multiple_time_servers.var.

It looks like chronyd_specify_remote_server is recommending multiple servers. However I have spot checked a RHEL and Ubuntu Benchmark only says may use more than one server. So moving to pool could be okay.