Public bug reported: Source: CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0.pdf Link: https://workbench.cisecurity.org/files/3228 (download PDF)
cis-audit level2_server fails on rule_CIS-2.2.1.3 but passes all manual checks. =================== Title Ensure chrony is configured Rule xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3 Result fail =================== 2.1.1.3 Ensure chrony is configured (Automated) (xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3) Please note that with CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0 by CIS the numbering is no longer aligned to the xccdf file with xccdf_com.ubuntu.focal.cis_rule_CIS-2.2.1.3 =================== Procedure: Verify that only one time synchronization method is in use on the system: Run the following command to verify that ntp is not installed. # dpkg -s ntp | grep -E '(Status:|not installed)' Expected result: dpkg-query: package 'ntp' is not installed and no information is available Actual result: dpkg-query: package 'ntp' is not installed and no information is available =================== NEXT Run the following command to verify that systemd-timsyncd is masked: # systemctl is-enabled systemd-timesyncd Expected result: masked Actual result: masked =================== NEXT Verify that chrony is configured: Run the following command and verify remote server is configured properly: # grep -E "^(server|pool)" /etc/chrony/chrony.conf Expected result: server <remote-server> Actual result: server 0.pool.ntp.org minpoll 8 server 1.pool.ntp.org minpoll 8 server 2.pool.ntp.org minpoll 8 server 3.pool.ntp.org minpoll 8 =================== NEXT Run the following command and verify the first field for the chronyd process is _chrony: # ps -ef | grep chronyd Expected result: _chrony 491 1 0 20:32 ? 00:00:00 /usr/sbin/chronyd Actual result: _chrony 1092 1 0 17:35 ? 00:00:00 /usr/sbin/chronyd -F -1 _chrony 1099 1092 0 17:35 ? 00:00:00 /usr/sbin/chronyd -F -1 =================== =================== No errors or events within the logs. =================== OS Version (lsb_release) Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal US Version 27.2.2~20.04.1 ua status SERVICE ENTITLED STATUS DESCRIPTION cis yes enabled Center for Internet Security Audit Tools esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes disabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes enabled Canonical Livepatch service =================== Expected result is that it should pass but process fails. ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: New ** Tags: cis-audit -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943188 Title: Ensure chrony is configured (Automated) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1943188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs