From 58a45348b34c2cfc888c981573ea217fede92188 Mon Sep 17 00:00:00 2001 From: lwj Date: Fri, 5 May 2023 19:42:17 +0800 Subject: [PATCH] Added benchmark,remediation-kits,scanners for rule 3.27-ensure-time-synchronization-is-installed Fixes: #I70N0P Signed-off-by: lwj --- ...nsure-time-synchronization-is-installed.md | 36 +++++++++++++++++++ docs/summary-of-rules.md | 1 + ...nsure-time-synchronization-is-installed.sh | 1 + ...nsure-time-synchronization-is-installed.sh | 10 ++++++ 4 files changed, 48 insertions(+) create mode 100644 benchmarks/services/3.27-ensure-time-synchronization-is-installed.md create mode 100644 remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh create mode 100644 scanners/services/3.27-ensure-time-synchronization-is-installed.sh diff --git a/benchmarks/services/3.27-ensure-time-synchronization-is-installed.md b/benchmarks/services/3.27-ensure-time-synchronization-is-installed.md new file mode 100644 index 0000000..310df13 --- /dev/null +++ b/benchmarks/services/3.27-ensure-time-synchronization-is-installed.md @@ -0,0 +1,36 @@ +# 3.27 确保时间同步服务已安装 + +## 安全等级 + +- Level 1 + +## 描述 + +同一环境中的所有系统之间应同步系统时间。 这通常是通过建立一个或一组权威的时间服务器,并使所有系统的时钟与之同步来实现的。时间同步对于支持时间敏感的安全机制如Kerberos非常重要,它还可以确保日志文件在整个企业中具有一致的时间记录,这有助于取证调查。 + +## 修复建议 + +目标:安装chrony软件包。 + +1. 运行以下命令安装 chrony。 + +```bash +# dnf install chrony -y +``` + +## 扫描检测 + +验证是否正确安装了chrony。 + +1. 运行以下命令以检测是否安装 chrony。 + +```bash +# rpm -q chrony +chrony- +``` + +输出结果为`chrony-`则表示安装了chrony。其中``为版本信息。 + +## 参考 + +- cis: diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index 51e4742..76500c3 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -104,6 +104,7 @@ | 3.24 | 3.24-disable-ntalk.md | 3.24 禁用ntalk | benchmarks/services | 1 | | 3.25 | 3.25-ensure-xinetd-is-not-installed.md | 3.25 确保xinetd被卸载 | benchmarks/services | 1 | | 3.26 | 3.26-disable-usb-storage.md | 3.26 禁用USB存储 | benchmarks/services | 1 | +| 3.27 | 3.27-ensure-time-synchronization-is-installed.md | 3.27 确保时间同步服务已安装 | benchmarks/services | 1 | | 4.1 | 4.1-ensure-message-of-the-day-is-configured-properly.md | 4.1 确保登录提示消息的内容符合要求 | benchmarks/system-configurations | 1 | | 4.2 | 4.2-ensure-local-login-warning-banner-is-configured-properly.md | 4.2 确保本地登录提示消息的内容符合要求 | benchmarks/system-configurations | 1 | | 4.3 | 4.3-ensure-remote-login-warning-banner-is-configured-properly.md | 4.3 确保远程登录提示消息的内容符合要求 | benchmarks/system-configurations | 1 | diff --git a/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh b/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh new file mode 100644 index 0000000..750f16c --- /dev/null +++ b/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh @@ -0,0 +1 @@ +rpm -qa | grep -q chrony || dnf install chrony -y diff --git a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh new file mode 100644 index 0000000..0281f85 --- /dev/null +++ b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +result=false + +rpm -q chrony | grep -Psiq "chrony\-" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi -- Gitee