|
 |
dac76a |
From 74dfdeffe59ed7ed1e31151df3fefe98f1dc8876 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 21 Apr 2020 15:41:27 +0200
|
|
|
dac76a |
Subject: [PATCH 1/3] remove remediations, add warning
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../configure_etc_hosts_deny/ansible/shared.yml | 7 -------
|
|
|
dac76a |
.../configure_etc_hosts_deny/bash/shared.sh | 3 ---
|
|
|
dac76a |
.../configure_etc_hosts_deny/rule.yml | 12 ++++++++++++
|
|
|
dac76a |
3 files changed, 12 insertions(+), 10 deletions(-)
|
|
|
dac76a |
delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
|
|
|
dac76a |
delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
|
|
|
dac76a |
deleted file mode 100644
|
|
|
dac76a |
index 480bde9f80..0000000000
|
|
|
dac76a |
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
|
|
|
dac76a |
+++ /dev/null
|
|
|
dac76a |
@@ -1,7 +0,0 @@
|
|
|
dac76a |
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
dac76a |
-# reboot = false
|
|
|
dac76a |
-# strategy = restrict
|
|
|
dac76a |
-# complexity = low
|
|
|
dac76a |
-# disruption = medium
|
|
|
dac76a |
-
|
|
|
dac76a |
-{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
|
|
|
dac76a |
deleted file mode 100644
|
|
|
dac76a |
index e1def7a9ab..0000000000
|
|
|
dac76a |
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
|
|
|
dac76a |
+++ /dev/null
|
|
|
dac76a |
@@ -1,3 +0,0 @@
|
|
|
dac76a |
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
dac76a |
-
|
|
|
dac76a |
-{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
index ec53cc799f..fb3143d24b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
@@ -10,6 +10,10 @@ description: |-
|
|
|
dac76a |
The following line in the file ensures that access to services supporting this mechanism is denied to any clients
|
|
|
dac76a |
not mentioned in <tt>/etc/hosts.allow</tt>:
|
|
|
dac76a |
ALL: ALL
|
|
|
dac76a |
+ It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule.
|
|
|
dac76a |
+ If there exist services which might be affected and access to them should not be blocked,
|
|
|
dac76a |
+ modify the <tt>/etc/hosts.deny</tt> file appropriately before performing the remediation.
|
|
|
dac76a |
+
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism.
|
|
|
dac76a |
@@ -29,3 +33,11 @@ ocil: |-
|
|
|
dac76a |
cat /etc/hosts.deny
|
|
|
dac76a |
Verify that the output contains the following line:
|
|
|
dac76a |
ALL: ALL
|
|
|
dac76a |
+
|
|
|
dac76a |
+warnings:
|
|
|
dac76a |
+ - management: |-
|
|
|
dac76a |
+ enabling this rule affects all connections to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
|
|
|
dac76a |
+ Connections to such servicesfrom any hosts which are not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
|
|
|
dac76a |
+ As the <tt>/etc/hosts.allow</tt> file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access.
|
|
|
dac76a |
+ Therefore, this rule will not be remediated automatically. For information about manual process
|
|
|
dac76a |
+ of remediation see the rule description.
|
|
|
dac76a |
|
|
|
dac76a |
From 3622b07d64f6a923143b0b5d34aa6b19571f3889 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 22 Apr 2020 12:42:20 +0200
|
|
|
dac76a |
Subject: [PATCH 2/3] fix wording
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../configure_etc_hosts_deny/rule.yml | 14 +++++++-------
|
|
|
dac76a |
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
index fb3143d24b..effed82fd8 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
@@ -12,7 +12,7 @@ description: |-
|
|
|
dac76a |
ALL: ALL
|
|
|
dac76a |
It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule.
|
|
|
dac76a |
If there exist services which might be affected and access to them should not be blocked,
|
|
|
dac76a |
- modify the <tt>/etc/hosts.deny</tt> file appropriately before performing the remediation.
|
|
|
dac76a |
+ modify the <tt>/etc/hosts.allow</tt> file appropriately before performing the remediation.
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
@@ -35,9 +35,9 @@ ocil: |-
|
|
|
dac76a |
ALL: ALL
|
|
|
dac76a |
|
|
|
dac76a |
warnings:
|
|
|
dac76a |
- - management: |-
|
|
|
dac76a |
- enabling this rule affects all connections to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
|
|
|
dac76a |
- Connections to such servicesfrom any hosts which are not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
|
|
|
dac76a |
- As the <tt>/etc/hosts.allow</tt> file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access.
|
|
|
dac76a |
- Therefore, this rule will not be remediated automatically. For information about manual process
|
|
|
dac76a |
- of remediation see the rule description.
|
|
|
dac76a |
+ - functionality: |-
|
|
|
dac76a |
+ This rule affects all access to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
|
|
|
dac76a |
+ Connections to services originating from hosts not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
|
|
|
dac76a |
+ As the <tt>/etc/hosts.allow</tt> is empty by default, make sure it is appropriately configured before applying remediation for this rule.
|
|
|
dac76a |
+ To avoid locking down all network access to the system, this rule doesn't perform automated remediation.
|
|
|
dac76a |
+ For information about manual process of remediation see the rule description.
|
|
|
dac76a |
|
|
|
dac76a |
From 4f98610b8366c55c9e212a2cd6feeb2b4002c111 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Fri, 24 Apr 2020 11:48:57 +0200
|
|
|
dac76a |
Subject: [PATCH 3/3] fix wording
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 3 +--
|
|
|
dac76a |
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
index effed82fd8..f2fc86748f 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
|
|
|
dac76a |
@@ -36,8 +36,7 @@ ocil: |-
|
|
|
dac76a |
|
|
|
dac76a |
warnings:
|
|
|
dac76a |
- functionality: |-
|
|
|
dac76a |
- This rule affects all access to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
|
|
|
dac76a |
+ This rule affects all access to services which honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
|
|
|
dac76a |
Connections to services originating from hosts not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
|
|
|
dac76a |
- As the <tt>/etc/hosts.allow</tt> is empty by default, make sure it is appropriately configured before applying remediation for this rule.
|
|
|
dac76a |
To avoid locking down all network access to the system, this rule doesn't perform automated remediation.
|
|
|
dac76a |
For information about manual process of remediation see the rule description.
|