chrony and ntp checks should skip if package is not installed

Question

chrony and ntp checks should skip if package is not installed

sblaisot opened this issue 3 years ago · 3 comments

2.2.1.3_configure_chrony consider check failed if chrony package is not installed. However, CIS benchmark §2.2.1.3 is only related to chrony proper configuration and clearly states:

This recommendation only applies if chrony is in use on the system.

so the check should be skipped if package is not installed instead of failing (like when grub is not in use for test 1.5.1_bootloader_ownership

same should apply to 2.2.1.4_configure_ntp if ntp is not instaled

2.2.1.3_configure_chrony  [ KO ] chrony is not installed!
2.2.1.3_configure_chrony  [ KO ] Check Failed

Answer 1 · 2021-10-15T14:22:32.000Z

Hello Sebastien,

We currently disable the check on machines via configuration file where chrony (for instance) is not installed on the machine, wouldn't this solution work for you ?

Answer 2 · 2021-10-15T18:56:46.000Z

yes, that would work.
However, on the other side, CIS benchmark clearly states that the recommandation only apply if chrony (resp. ntp) is in use so default config should skip if not installed I think.
I will try to publish a pull request.

Answer 3 · 2021-10-16T23:21:18.000Z

enforcing either chrony or ntp is installed could be added as a 99.x check.