-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
rhel-8.8.0
-
None
-
None
-
rhel-security-compliance
-
ssg_security
-
None
-
False
-
False
-
-
No
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
-
57,005
Description of problem:
DISA STIG finding V-230486 requires disabling chrony 'cmdport 0' even if the port is only listening on 'lo' (::1 / 127.0.0.1)
And this prevents local stats verification using 'chronyc' from an unprivileged user (for monitoring)
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. default chrony install
- yum install chrony
- systemctl start chronyd
2. with an unprivileged user:
$ chronyc sources
$ chronyc delete <ntp_source_from_above>
3. add cmdport 0 - echo "cmdport 0" >> /etc/chrony.conf
- systemctl restart chronyd
4. with an unprivileged user again
$ chronyc sources
Actual results:
2. $ chronyc sources
<source output>
$ chronyc delete <ntp_source_from_above>
501 Not authorised
4. $ chronyc sources
506 Cannot talk to daemon
Expected results:
The expected results is that the STIG verify the actual interface where the cmdport is listening to, in order to either pass or not the verification.
Maybe this is something to discuss with DISA
Additional info:
Unprivileged user contacting chronyd over port 323 via localhost interface cannot modify settings.
JGamba
- external trackers
