OpenSCAP "Install the ntp service" false positive on ubuntu 16.04 with systemd-timesyncd running?
285 views
Skip to first unread message
Gert Verhoog
Jul 30, 2017, 10:07:03 PM7/30/17
to Wazuh mailing list
Hi group,
Not sure if this is entirely appropriate for this group (or would it be better to ask the OpenSCAP project?), but I'm getting a false positive with our wazuh + scap configuration: On all our machines, time synchronisation is enabled, using `systemd-timesyncd`. The output of `timedatectl status` shows "NTP synchronized: yes."
However, wazuh shows a failed oscap rule with the title "Install the ntp service". Has anyone else seen this behaviour?
Did I misconfigure something, or is this rule not taking systemd-timesyncd into account when checking for ntp?
Cheers,
Gert
Full log follows for reference:
oscap: msg: "xccdf-result",
scan-id: "0511501453180",
content: "ssg-ubuntu-1604-ds.xml",
title: "Install the ntp service",
id: "xccdf_org.ssgproject.content_rule_package_ntp_installed",
result: "fail",
severity: "high",
description: "The ntpd service should be installed.",
rationale: "Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906." references: "AU-8(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 160 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), NT012(R03) (http://www.ssi.gouv.fr/administration/bonnes-pratiques/)", identifiers: "CCE- (https://nvd.nist.gov/cce/index.cfm)",
oval-id: "oval:ssg-package_ntp_installed:def:1",
benchmark-id: "xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL",
profile-id: "xccdf_org.ssgproject.content_profile_common",
profile-title: "Common Profile for General-Purpose Ubuntu Systems".
Andraz Sraka
Jul 31, 2017, 3:42:35 AM7/31/17
to wa...@googlegroups.com
On Sun, 2017-07-30 at 19:07 -0700, Gert Verhoog wrote:
> However, wazuh shows a failed oscap rule with the title "Install the
> ntp service". Has anyone else seen this behaviour?
> Did I misconfigure something, or is this rule not taking systemd-
> timesyncd into account when checking for ntp?
> However, wazuh shows a failed oscap rule with the title "Install the
> ntp service". Has anyone else seen this behaviour?
> Did I misconfigure something, or is this rule not taking systemd-
I think it's not taking into account, because once you install ntpd
this warning goes away. I have same problem, because I am using
OpenNTPD and still gets warning, that ntp service is not installed :(
Regards,
Andraz
Jesus Linares
Jul 31, 2017, 7:04:13 AM7/31/17
to Wazuh mailing list, a...@aufbix.org
Hi,
this is the check definition:
<Rule id="xccdf_org.ssgproject.content_rule_package_ntp_installed" selected="false" severity="high">
<title xml:lang="en-US">Install the ntp service</title>
<description xml:lang="en-US">
The ntpd service should be installed.
</description>
<reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</reference>
<reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</reference>
<reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</reference>
<rationale xml:lang="en-US">
Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.
</rationale>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-</ident>
<fix system="urn:xccdf:fix:script:sh" id="package_ntp_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># Include source function library.
apt-get install ntp
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg-package_ntp_installed:def:1" href="ssg-ubuntu1604-oval.xml"/>
</check>
</Rule>
<definition class="compliance" id="oval:ssg-package_ntp_installed:def:1" version="1">
<metadata>
<title>Package ntp Installed</title>
<affected family="unix">
<platform>Ubuntu 1604</platform>
</affected>
<description>The DEB package ntp should be installed.</description>
<reference ref_id="package_ntp_installed" source="ssg"/>
</metadata>
<criteria>
<criterion comment="package ntp is installed" test_ref="oval:ssg-test_package_ntp_installed:tst:1"/>
</criteria>
</definition>
<linux:dpkginfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_ntp_installed:tst:1" version="1" comment="package ntp is installed">
<linux:object object_ref="oval:ssg-obj_package_ntp_installed:obj:1"/>
</linux:dpkginfo_test>
<linux:dpkginfo_object id="oval:ssg-obj_package_ntp_installed:obj:1" version="1">
<linux:name>ntp</linux:name>
</linux:dpkginfo_object>So, it returns True when you have the ntp package installed. If you are using any other package for NTP, it will not pass the check.
This policy was created by the SSG project. I would recommend you to open an issue in https://github.com/OpenSCAP/scap-security-guide repository.
Thanks for the feedback!.
Regards.
Reply all
Reply to author
Forward
0 new messages