Adjust Chrony_Conf Control

[DMedina6]

Adjusts control to account for multiple values / arrays in both the inspec.yml input and the chrony.conf configuration file.

Edge case:
This control passes when the chrony.conf file has fewer servers than the inspec.yml input but all values are valid.

  chrony_conf.server = [10.90.21.160]
  input('authoritative_timeserver') = [10.90.21.160, 10.90.21.178]

^ this would result in a pass.

This may be desirable if user wants to have several possible correct values but the configuration file only needs to have a subset of those values.

[wdower]

This may be desirable if user wants to have several possible correct values but the configuration file only needs to have a subset of those values.

So this is how I read this requirement. The STIG wants you to have a valid timeserver, not an exact list. So your edge case is actually desired behavior.

[aaronlippold]

The input in the input.yml is a list of 'valid timeservers' so having at least one of them and having maxpool be <= 16 are the two conditions that should be true.

The check text says 'a valid server' not 'all listed serververs must be in the config file'

We could, if you wanted, add an input for 'exact timeservers' to udpate the logic of the check to ensure that all listed timeservers in the input are configured and have a maxpool of <= 16.

Also why are we so worried about the array vs string. The resource seems to return an array of strings, Just flatten it and fail fast if the flattened array is empty? nil?

[aaronlippold]

https://github.com/inspec/inspec/blob/main/lib/inspec/resources/chrony_conf.rb#L56

[wdower]

This seems like cleanup to the code which doesn't meaningfully change its function. LGTM.

[wdower]

Wait, read it again and realized that this is forcing all timeservers to be valid. We want minimum of one to be valid.

Suggest using .any? on the list of timeservers and checking for inclusion in the authorized servers list.

[DMedina6]

https://github.com/inspec/inspec/blob/main/lib/inspec/resources/chrony_conf.rb#L56

This uses SimpleConfig utility to parse the chrony.conf file. Isn't this line saying that in the case that there is one value in the array it'll just return the string itself instead?

https://github.com/inspec/inspec/blob/ec9724ed1b7ee4f04fa66fa6eee0b5e89a708b02/lib/inspec/utils/simpleconfig.rb#L42

return match[start_idx] if values == 1

[DMedina6]

Wait, read it again and realized that this is forcing all timeservers to be valid. We want minimum of one to be valid.

Suggest using .any? on the list of timeservers and checking for inclusion in the authorized servers list.

Yeah, and to be fair it doesn't seem to make sure that the specific timeserver being checked for has a valid maxpool value (or do all servers regardless of validity need a maxpool <= 16?)

[wdower]

Yeah, and to be fair it doesn't seem to make sure that the specific timeserver being checked for has a valid maxpool value (or do all servers regardless of validity need a maxpool <= 16?)

Good point. From the fix text, it looks like maxpoll needs to be set per-server.

[DMedina6]

Modified the control to check corresponding maxpoll values instead of all of them separately.

@aaronlippold mentioned an authoritative_timeserver_exact input as well that would instead check if every value in it exists in the chrony.conf file? Would this allow for additional entries or are the entries in this new input the only ones that would be allowed?