The Chronyd service is disabled
Description
The chrony service can be disabled with the following command:
$ sudo systemctl mask --now chrony.service
Rationale
Disabling the chrony service ensures that there is
only single one time service running.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$'; }; then
var_timesync_service='systemd-timesyncd'
if [ $var_timesync_service != chronyd ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'chrony.service'
"$SYSTEMCTL_EXEC" disable 'chrony.service'
"$SYSTEMCTL_EXEC" mask 'chrony.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files chrony.socket; then
"$SYSTEMCTL_EXEC" stop 'chrony.socket'
"$SYSTEMCTL_EXEC" mask 'chrony.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'chrony.service' || true
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_chronyd_disabled
- name: XCCDF Value var_timesync_service # promote to variable
set_fact:
var_timesync_service: !!str systemd-timesyncd
tags:
- always
- name: The Chronyd service is disabled - Collect systemd Services Present in the
System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
when:
- '"linux-base" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_chronyd_disabled
- name: The Chronyd service is disabled - Ensure "chrony.service" is Masked
ansible.builtin.systemd:
name: chrony.service
state: stopped
enabled: false
masked: true
when:
- '"linux-base" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
- service_exists.stdout_lines is search("chrony.service",multiline=True)
- var_timesync_service != "chronyd"
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_chronyd_disabled
- name: Unit Socket Exists - chrony.socket
ansible.builtin.command: systemctl -q list-unit-files chrony.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
when:
- '"linux-base" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_chronyd_disabled
- name: Disable socket chrony
ansible.builtin.systemd:
name: chrony.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"linux-base" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
- socket_file_exists.stdout_lines is search("chrony.socket",multiline=True)
- var_timesync_service != "chronyd"
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_chronyd_disabled
