From de575924082e17ff0e2fe537a3c72adf87942a55 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 23 Mar 2020 16:02:21 +0100

Subject: [PATCH 1/3] create rule

---

 .../ansible/shared.yml                        |  7 +++++

 .../configure_etc_hosts_deny/bash/shared.sh   |  3 ++

 .../configure_etc_hosts_deny/oval/shared.xml  |  1 +

 .../configure_etc_hosts_deny/rule.yml         | 31 +++++++++++++++++++

 .../tests/correct.pass.sh                     |  6 ++++

 .../tests/file_empty.fail.sh                  |  6 ++++

 .../tests/file_missing.fail.sh                |  6 ++++

 .../tests/wrong.fail.sh                       |  6 ++++

 shared/references/cce-redhat-avail.txt        |  1 -

 9 files changed, 66 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml

new file mode 100644

index 0000000000..480bde9f80

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml

@@ -0,0 +1,7 @@

+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = medium

+

+{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}}

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh

new file mode 100644

index 0000000000..e1def7a9ab

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh

@@ -0,0 +1,3 @@

+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7

+

+{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml

new file mode 100644

index 0000000000..de1e7261a6

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml

@@ -0,0 +1 @@

+{{{ oval_check_config_file(path='/etc/hosts.deny', prefix_regex='^[ \\t]*', parameter='ALL:', separator_regex='[ \\t]+', value='ALL', missing_parameter_pass=false, missing_config_file_fail=true) }}}

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml

new file mode 100644

index 0000000000..f81259ab25

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml

@@ -0,0 +1,31 @@

+documentation_complete: true

+

+prodtype: ol7,rhel7

+

+title: 'Ensure /etc/hosts.deny is configured'

+

+description: |-

+    The file <tt>/etc/hosts.deny</tt> together with <tt>/etc/hosts.allow</tt> provides a

+    simple access control mechanism for network services supporting TCP wrappers. 

+    The following line in the file ensures that access to services supporting this mechanism is denied to any clients

+    not mentioned in <tt>/etc/hosts.allow</tt>:

+    
ALL: ALL

+

+rationale: |-

+    Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. 

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 83391-3

+

+references:

+    cis@rhel7: 3.4.3

+

+ocil_clause: 'access to services supporting TCP wrappers is not properly configured'

+

+ocil: |-

+    Display contents of the file:

+    
cat /etc/hosts.deny

+    Verify that the output contains the following line:

+    
ALL: ALL

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh

new file mode 100644

index 0000000000..cbd4e9467a

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+# this is done to ensure that we don't lose ssh connection to the machine

+echo "ALL: ALL" > /etc/hosts.allow

+# this is the actual test case

+echo "ALL: ALL" > /etc/hosts.deny

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh

new file mode 100644

index 0000000000..d61a08a119

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+# this is done to ensure that we don't lose ssh connection to the machine

+echo "ALL: ALL" > /etc/hosts.allow

+# this is the actual test case

+echo "" > /etc/hosts.deny

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh

new file mode 100644

index 0000000000..78c99cc73a

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh

@@ -0,0 +1,6 @@

+#!(bin/bash

+

+# this is done to ensure that we don't lose ssh connection to the machine

+echo "ALL: ALL" > /etc/hosts.allow

+# this is the actual test case

+rm -f /etc/hosts.deny

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh

new file mode 100644

index 0000000000..efc958523d

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+# this is done to ensure that we don't lose ssh connection to the machine

+echo "ALL: ALL" > /etc/hosts.allow

+# this is the actual test case

+echo "something different" > /etc/hosts.deny

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 6a2445d0bf..6c2b6aee41 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -96,7 +96,6 @@ CCE-83387-1

 CCE-83388-9

 CCE-83389-7

 CCE-83390-5

-CCE-83391-3

 CCE-83392-1

 CCE-83393-9

 CCE-83394-7

From bd3d76598f4790efc7d589d6f4916aa207f4aa4b Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 23 Mar 2020 16:02:43 +0100

Subject: [PATCH 2/3] add rule to rhel7 cis profile

---

 rhel7/profiles/cis.profile | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile

index 486fcf9a33..4727adaaf5 100644

--- a/rhel7/profiles/cis.profile

+++ b/rhel7/profiles/cis.profile

@@ -352,6 +352,8 @@ selections:

     ### 3.4.2 Ensure /etc/hosts.allow is configured (Scored)

     ### 3.4.3 Ensure /etc/hosts.deny is configured (Scored)

+    - configure_etc_hosts_deny

+

     ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)

     ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)

From d25cbb63a67af1ea749afda7c2fb7590de388538 Mon Sep 17 00:00:00 2001

From: vojtapolasek <krecoun@gmail.com>

Date: Tue, 24 Mar 2020 08:57:21 +0100

Subject: [PATCH 3/3] fix typo

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Co-Authored-By: Jan Černý <jcerny@redhat.com>

---

 .../obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml

index f81259ab25..ea657a8f79 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml

@@ -12,7 +12,7 @@ description: |-

     
ALL: ALL

 rationale: |-

-    Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. 

+    Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism. 

 severity: medium