Bug 2226501
| Summary: | DISA STIG finding V-230486 requires disabling chrony 'cmdport' even if the port is only listening on 'lo' (::1 / 127.0.0.1) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Juan Gamba <jgamba> |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
| Status: | CLOSED MIGRATED | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | --- | CC: | ggasparb, matyc, mhaicman, mlysonek, wsato |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-16 07:27:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. |
Description of problem: DISA STIG finding V-230486 requires disabling chrony 'cmdport 0' even if the port is only listening on 'lo' (::1 / 127.0.0.1) And this prevents local stats verification using 'chronyc' from an unprivileged user (for monitoring) Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. default chrony install # yum install chrony # systemctl start chronyd 2. with an unprivileged user: $ chronyc sources $ chronyc delete <ntp_source_from_above> 3. add cmdport 0 # echo "cmdport 0" >> /etc/chrony.conf # systemctl restart chronyd 4. with an unprivileged user again $ chronyc sources Actual results: 2. $ chronyc sources <source output> $ chronyc delete <ntp_source_from_above> 501 Not authorised 4. $ chronyc sources 506 Cannot talk to daemon Expected results: The expected results is that the STIG verify the actual interface where the cmdport is listening to, in order to either pass or not the verification. Maybe this is something to discuss with DISA Additional info: Unprivileged user contacting chronyd over port 323 via localhost interface cannot modify settings. JGamba