-
Bug
-
Resolution: Won't Do
-
Minor
-
None
-
4.12.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The auto remediation doesn’t work for Chronyd related rules. After auto-remediation applied, the chronyd related rules still getting failed:
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME STATUS SEVERITY
rhcos4-high-master-chronyd-client-only FAIL low
rhcos4-high-master-chronyd-no-chronyc-network FAIL low
rhcos4-high-master-chronyd-or-ntpd-set-maxpoll FAIL medium
rhcos4-high-worker-chronyd-client-only FAIL low
rhcos4-high-worker-chronyd-no-chronyc-network FAIL low
rhcos4-high-worker-chronyd-or-ntpd-set-maxpoll FAIL medium
Version-Release number of selected component (if applicable):
4.12.2 + compliance-operator.v0.1.60-3
How reproducible:
Always
Steps to Reproduce:
1. Install Compliance Operator
2. Create a ssb:
oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: rhcos4-high-test
profiles:
- name: rhcos4-high
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default-auto-apply
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
EOF
Actual results:
After several rounds of remediation, rerun the scansettingbinding, and check whether any rule has auto-fix still showing fail status: $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY rhcos4-high-master-chronyd-client-only FAIL low rhcos4-high-master-chronyd-no-chronyc-network FAIL low rhcos4-high-master-chronyd-or-ntpd-set-maxpoll FAIL medium rhcos4-high-worker-chronyd-client-only FAIL low rhcos4-high-worker-chronyd-no-chronyc-network FAIL low rhcos4-high-worker-chronyd-or-ntpd-set-maxpoll FAIL medium
Expected results:
After several rounds of remediation, all rules with auto-fix should in PASS status
Additional info:
$ oc get rule rhcos4-chronyd-client-only -o=jsonpath={.instructions}
Verify Red Hat Enterprise Linux CoreOS 4 disables the chrony daemon from acting as a server with the following command:
$ grep -w port /etc/chrony.conf
port 0
$ oc get rule rhcos4-chronyd-no-chronyc-network -o=jsonpath={.instructions}
Verify Red Hat Enterprise Linux CoreOS 4 disables network management of the chrony daemon with the following command:
$ grep -w cmdport /etc/chrony.conf
cmdport 0
$ oc get rule rhcos4-chronyd-or-ntpd-set-maxpoll -o=jsonpath={.instructions}
Verify Red Hat Enterprise Linux CoreOS 4 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf
server [ntp.server.name] iburst maxpoll .
$ oc debug node/xiyuan-08-m2-g58g7-master-0 – chroot /host cat /etc/chrony.conf
Starting pod/xiyuan-08-m2-g58g7-master-0-debug ...
To use host binaries, run `chroot /host`
pool clock.redhat.com iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony
Removing debug pod ...
$ oc debug node/xiyuan-08-m2-g58g7-master-0 – chroot /host cat /etc/chrony.d/ntp-server.conf
Starting pod/xiyuan-08-m2-g58g7-master-0-debug ...
To use host binaries, run `chroot /host`
#
This file controls the configuration of the ntp server 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org we have to put variable array name here for mutilines remediation
server 0.pool.ntp.org minpoll 4 maxpoll 10
server 1.pool.ntp.org minpoll 4 maxpoll 10
server 2.pool.ntp.org minpoll 4 maxpoll 10
server 3.pool.ntp.org minpoll 4 maxpoll 10
Removing debug pod ...
$ oc get cr -o yaml
apiVersion: v1
items:
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
annotations:
compliance.openshift.io/xccdf-value-used: var-multiple-time-servers,var-time-service-set-maxpoll
creationTimestamp: "2023-02-07T14:35:39Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-master
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-master-chronyd-client-only
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-master-chronyd-client-only
uid: bd956c7c-b034-4c50-bfd0-7fc840e10843
resourceVersion: "284360"
uid: e9bd3e1b-66f2-470c-b2f0-35586e4415f4
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20%2Fetc%2Fchrony.d%2F%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains%2Flosses%20time.%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0%2F16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20%2Fetc%2Fchrony.keys%0A%0A%23%20Insert%2Fdelete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right%2FUTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking
mode: 420
overwrite: true
path: /etc/chrony.conf
- contents:
source: data:,
mode: 420
overwrite: true
path: /etc/chrony.d/.mco-keep
- contents:
source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%200.pool.ntp.org%2C1.pool.ntp.org%2C2.pool.ntp.org%2C3.pool.ntp.org%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%0Aserver%200.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.pool.ntp.org%20minpoll%204%20maxpoll%2010%0A
mode: 420
overwrite: true
path: /etc/chrony.d/ntp-server.conf
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
annotations:
compliance.openshift.io/xccdf-value-used: var-multiple-time-servers,var-time-service-set-maxpoll
creationTimestamp: "2023-02-07T14:35:17Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-master
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-master-chronyd-no-chronyc-network
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-master-chronyd-no-chronyc-network
uid: 68023250-b87d-40a6-9caa-c622d08ddc01
resourceVersion: "284366"
uid: 0e5bb6c3-6926-4f43-984d-3afa149ef490
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20%2Fetc%2Fchrony.d%2F%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains%2Flosses%20time.%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0%2F16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20%2Fetc%2Fchrony.keys%0A%0A%23%20Insert%2Fdelete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right%2FUTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking
mode: 420
overwrite: true
path: /etc/chrony.conf
- contents:
source: data:,
mode: 420
overwrite: true
path: /etc/chrony.d/.mco-keep
- contents:
source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%200.pool.ntp.org%2C1.pool.ntp.org%2C2.pool.ntp.org%2C3.pool.ntp.org%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%0Aserver%200.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.pool.ntp.org%20minpoll%204%20maxpoll%2010%0A
mode: 420
overwrite: true
path: /etc/chrony.d/ntp-server.conf
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
annotations:
compliance.openshift.io/xccdf-value-used: var-multiple-time-servers,var-time-service-set-maxpoll
creationTimestamp: "2023-02-07T14:35:37Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-master
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-master-chronyd-or-ntpd-set-maxpoll
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-master-chronyd-or-ntpd-set-maxpoll
uid: 79f13874-6b03-4431-a406-7d7acd2fe850
resourceVersion: "284340"
uid: 456976e9-5b99-478a-a7a1-0f7f2947e57f
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20%2Fetc%2Fchrony.d%2F%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains%2Flosses%20time.%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0%2F16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20%2Fetc%2Fchrony.keys%0A%0A%23%20Insert%2Fdelete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right%2FUTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking
mode: 420
overwrite: true
path: /etc/chrony.conf
- contents:
source: data:,
mode: 420
overwrite: true
path: /etc/chrony.d/.mco-keep
- contents:
source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%200.pool.ntp.org%2C1.pool.ntp.org%2C2.pool.ntp.org%2C3.pool.ntp.org%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%0Aserver%200.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.pool.ntp.org%20minpoll%204%20maxpoll%2010%0A
mode: 420
overwrite: true
path: /etc/chrony.d/ntp-server.conf
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
creationTimestamp: "2023-02-07T14:35:19Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-master
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-master-coreos-vsyscall-kernel-argument
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-master-coreos-vsyscall-kernel-argument
uid: 39fec898-5466-412e-8de2-344879015097
resourceVersion: "284344"
uid: fe9a045f-5fb4-4329-8881-464f64ff6bae
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
kernelArguments:
- vsyscall=none
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
annotations:
compliance.openshift.io/xccdf-value-used: var-multiple-time-servers,var-time-service-set-maxpoll
creationTimestamp: "2023-02-07T14:35:27Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-worker
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-worker-chronyd-client-only
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-worker-chronyd-client-only
uid: fca26b31-25eb-4c5d-affb-aabc935d164f
resourceVersion: "284251"
uid: c02bb2a3-a14a-4e50-aacf-6bb1dc1d4241
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20%2Fetc%2Fchrony.d%2F%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains%2Flosses%20time.%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0%2F16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20%2Fetc%2Fchrony.keys%0A%0A%23%20Insert%2Fdelete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right%2FUTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking
mode: 420
overwrite: true
path: /etc/chrony.conf
- contents:
source: data:,
mode: 420
overwrite: true
path: /etc/chrony.d/.mco-keep
- contents:
source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%200.pool.ntp.org%2C1.pool.ntp.org%2C2.pool.ntp.org%2C3.pool.ntp.org%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%0Aserver%200.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.pool.ntp.org%20minpoll%204%20maxpoll%2010%0A
mode: 420
overwrite: true
path: /etc/chrony.d/ntp-server.conf
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
annotations:
compliance.openshift.io/xccdf-value-used: var-multiple-time-servers,var-time-service-set-maxpoll
creationTimestamp: "2023-02-07T14:35:32Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-worker
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-worker-chronyd-no-chronyc-network
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-worker-chronyd-no-chronyc-network
uid: ad4eea13-cf7a-44c2-9a48-ab0b052c6749
resourceVersion: "284260"
uid: 95f78705-a657-42a5-a7af-76461a7ec19a
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20%2Fetc%2Fchrony.d%2F%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains%2Flosses%20time.%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0%2F16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20%2Fetc%2Fchrony.keys%0A%0A%23%20Insert%2Fdelete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right%2FUTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking
mode: 420
overwrite: true
path: /etc/chrony.conf
- contents:
source: data:,
mode: 420
overwrite: true
path: /etc/chrony.d/.mco-keep
- contents:
source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%200.pool.ntp.org%2C1.pool.ntp.org%2C2.pool.ntp.org%2C3.pool.ntp.org%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%0Aserver%200.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.pool.ntp.org%20minpoll%204%20maxpoll%2010%0A
mode: 420
overwrite: true
path: /etc/chrony.d/ntp-server.conf
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
annotations:
compliance.openshift.io/xccdf-value-used: var-multiple-time-servers,var-time-service-set-maxpoll
creationTimestamp: "2023-02-07T14:35:25Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-worker
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-worker-chronyd-or-ntpd-set-maxpoll
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-worker-chronyd-or-ntpd-set-maxpoll
uid: b98a02ba-4a7b-45d6-9089-bc1d41c6d77a
resourceVersion: "284242"
uid: fad8cb56-406e-4b89-878f-352e9aa139a6
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20%2Fetc%2Fchrony.d%2F%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains%2Flosses%20time.%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0%2F16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20%2Fetc%2Fchrony.keys%0A%0A%23%20Insert%2Fdelete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right%2FUTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking
mode: 420
overwrite: true
path: /etc/chrony.conf
- contents:
source: data:,
mode: 420
overwrite: true
path: /etc/chrony.d/.mco-keep
- contents:
source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%200.pool.ntp.org%2C1.pool.ntp.org%2C2.pool.ntp.org%2C3.pool.ntp.org%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%0Aserver%200.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.pool.ntp.org%20minpoll%204%20maxpoll%2010%0A
mode: 420
overwrite: true
path: /etc/chrony.d/ntp-server.conf
outdated: {}
type: Configuration
status:
applicationState: Applied
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
creationTimestamp: "2023-02-07T14:35:35Z"
generation: 2
labels:
compliance.openshift.io/scan-name: rhcos4-moderate-worker
compliance.openshift.io/suite: moderate-test
name: rhcos4-moderate-worker-coreos-vsyscall-kernel-argument
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: rhcos4-moderate-worker-coreos-vsyscall-kernel-argument
uid: 9e83af6b-7b37-45a2-9371-76886f15af2e
resourceVersion: "284236"
uid: b0ad9341-757a-4aa4-8030-7cb13adeecb1
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
kernelArguments:
- vsyscall=none
outdated: {}
type: Configuration
status:
applicationState: Applied
kind: List
metadata:
resourceVersion: ""