Rules 35589 (systemd-timesyncd) and 35592 (chrony) are in contradiction (CIS Ubuntu 24.04) #902
Description
Rule 35589 (Ensure systemd-timesyncd is enabled and running): https://github.com/wazuh/wazuh/blob/73a6d75d54e67062a9b087452dcc286d978e8e8c/ruleset/sca/ubuntu/cis_ubuntu24-04.yml#L2171-L2192
Rule 35592 (Ensure chrony is enabled and running): https://github.com/wazuh/wazuh/blob/73a6d75d54e67062a9b087452dcc286d978e8e8c/ruleset/sca/ubuntu/cis_ubuntu24-04.yml#L2244-L2266
When chrony is installed and systemd-timesyncd is not (or is and disabled), rule 35589 fails:
# systemctl is-enabled systemd-timesyncd.service
not-found # or masked
# systemctl is-active systemd-timesyncd.service
inactive
Because the rule wants "enabled" and "active".
But we chrony is active:
# systemctl is-active chronyd.service
active
But, according to the CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 - 08-26-2024 (page 311),
- If
chronyis used,systemd-timesyncdshould be stopped and masked, and this section skipped- One, and only one, time synchronization method should be in use on the system
According to the (unimplemented) rule 2.3.1.1 (Ensure a single time synchronization daemon is in use),
One of the two time synchronization daemons should be available;
chronyorsystemd-timesyncd
The fix for 35589 is not trivial because Wazuh does not support XOR-style rules:
condition: all
rules:
- - "c:systemctl is-enabled systemd-timesyncd.service -> r:enabled"
- - "c:systemctl is-active systemd-timesyncd.service -> r:^active$"
+ - 'c:sh -c "{ systemctl is-enabled -q systemd-timesyncd.service && systemctl is-active -q systemd-timesyncd.service && ! systemctl is-active -q chronyd.service; } || { ! systemctl is-enabled -q systemd-timesyncd.service && ! systemctl is-active -q systemd-timesyncd.service && systemctl is-active -q chronyd.service; }; echo $?" -> r:0'That is,
systemd-timesyncdis enabled ANDsystemd-timesyncdis active ANDchronydis NOT active, ORsystemd-timesyncdis NOT enabled ANDsystemd-timesyncdis NOT active ANDchronydis active
Rule 35592 also needs to be fixed:
condition: all
rules:
- "c:systemctl show chrony.service -> r:^LoadState=loaded"
- "c:systemctl show chrony.service -> r:^ActiveState=active"
- "not c:systemctl show systemd-timesyncd.service -> r:^LoadState=loaded|^ActiveState=active"
When chrony is not active/loaded, the rule will fail.
Probably need the same trick:
'c:sh -c "{ systemctl is-enabled -q chronyd.service && systemctl is-active -q chronyd.service && ! systemctl is-active -q systemd-timesyncd.service; } || { ! systemctl is-enabled -q chronyd.service && ! systemctl is-active -q chronyd.service && systemctl is-active -q systemd-timesyncd.service; }; echo $?" -> r:0'