|
 |
9be3b2 |
From 2cbc694687190cadb155c5582f93a8cf91ebdc4c Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
9be3b2 |
Date: Thu, 26 Aug 2021 15:04:46 +0200
|
|
|
9be3b2 |
Subject: [PATCH] Bug 1942281 - Set postfix rules to notapplicable when package
|
|
|
9be3b2 |
is not installed
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../rule.yml | 2 ++
|
|
|
9be3b2 |
.../rule.yml | 2 ++
|
|
|
9be3b2 |
.../services/mail/postfix_harden_os/group.yml | 2 ++
|
|
|
9be3b2 |
.../rule.yml | 3 ++-
|
|
|
9be3b2 |
products/rhel8/profiles/stig.profile | 4 +---
|
|
|
9be3b2 |
products/rhel9/profiles/stig.profile | 4 +---
|
|
|
9be3b2 |
shared/applicability/general.yml | 5 +++++
|
|
|
9be3b2 |
.../installed_env_has_postfix_package.xml | 20 +++++++++++++++++++
|
|
|
9be3b2 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
9be3b2 |
.../data/profile_stability/rhel8/stig.profile | 3 ++-
|
|
|
9be3b2 |
.../profile_stability/rhel8/stig_gui.profile | 3 ++-
|
|
|
9be3b2 |
11 files changed, 39 insertions(+), 10 deletions(-)
|
|
|
9be3b2 |
create mode 100644 shared/checks/oval/installed_env_has_postfix_package.xml
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
|
|
|
9be3b2 |
index 0faafeb0c2f..4b440e79845 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
|
|
|
9be3b2 |
@@ -21,3 +21,5 @@ ocil: |-
|
|
|
9be3b2 |
Run the following command to ensure postfix routes mail to this system:
|
|
|
9be3b2 |
$ grep relayhost /etc/postfix/main.cf
|
|
|
9be3b2 |
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+platform: postfix
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
|
|
9be3b2 |
index 096020ef687..579db484976 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
|
|
9be3b2 |
@@ -42,3 +42,5 @@ ocil: |-
|
|
|
9be3b2 |
Run the following command to ensure postfix accepts mail messages from only the local system:
|
|
|
9be3b2 |
$ grep inet_interfaces /etc/postfix/main.cf
|
|
|
9be3b2 |
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+platform: postfix
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/mail/postfix_harden_os/group.yml b/linux_os/guide/services/mail/postfix_harden_os/group.yml
|
|
|
9be3b2 |
index 19b662508bd..8a415425e7d 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/services/mail/postfix_harden_os/group.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/mail/postfix_harden_os/group.yml
|
|
|
9be3b2 |
@@ -6,3 +6,5 @@ description: |-
|
|
|
9be3b2 |
The guidance in this section is appropriate for any host which is
|
|
|
9be3b2 |
operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
|
|
|
9be3b2 |
or some other software.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+platform: postfix
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
|
|
|
9be3b2 |
index 9b4c7656a85..75e4133b119 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
|
|
|
9be3b2 |
@@ -1,6 +1,6 @@
|
|
|
9be3b2 |
documentation_complete: true
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
|
|
|
9be3b2 |
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,wrlinux1019
|
|
|
9be3b2 |
|
|
|
9be3b2 |
title: 'Prevent Unrestricted Mail Relaying'
|
|
|
9be3b2 |
|
|
|
9be3b2 |
@@ -19,6 +19,7 @@ severity: medium
|
|
|
9be3b2 |
identifiers:
|
|
|
9be3b2 |
cce@rhel7: CCE-80512-7
|
|
|
9be3b2 |
cce@rhel8: CCE-84054-6
|
|
|
9be3b2 |
+ cce@rhel9: CCE-87232-5
|
|
|
9be3b2 |
|
|
|
9be3b2 |
references:
|
|
|
9be3b2 |
disa: CCI-000366
|
|
|
9be3b2 |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
index d31b251645b..5e9a2216fcd 100644
|
|
|
9be3b2 |
--- a/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
@@ -1160,9 +1160,7 @@ selections:
|
|
|
9be3b2 |
- sysctl_net_core_bpf_jit_harden
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-040290
|
|
|
9be3b2 |
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
|
|
|
9be3b2 |
- # there needs to be a new platform check to identify when postfix is installed or not
|
|
|
9be3b2 |
- # - postfix_prevent_unrestricted_relay
|
|
|
9be3b2 |
+ - postfix_prevent_unrestricted_relay
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-040300
|
|
|
9be3b2 |
- aide_verify_ext_attributes
|
|
|
9be3b2 |
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
|
|
9be3b2 |
index a40d848ee67..8d60468528d 100644
|
|
|
9be3b2 |
--- a/products/rhel9/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel9/profiles/stig.profile
|
|
|
9be3b2 |
@@ -1030,9 +1030,7 @@ selections:
|
|
|
9be3b2 |
- sysctl_net_ipv4_conf_all_rp_filter
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-040290
|
|
|
9be3b2 |
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
|
|
|
9be3b2 |
- # there needs to be a new platform check to identify when postfix is installed or not
|
|
|
9be3b2 |
- # - postfix_prevent_unrestricted_relay
|
|
|
9be3b2 |
+ - postfix_prevent_unrestricted_relay
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-040300
|
|
|
9be3b2 |
- aide_verify_ext_attributes
|
|
|
9be3b2 |
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
|
|
9be3b2 |
index 6e3ecfd9bf9..4163a07cbad 100644
|
|
|
9be3b2 |
--- a/shared/applicability/general.yml
|
|
|
9be3b2 |
+++ b/shared/applicability/general.yml
|
|
|
9be3b2 |
@@ -44,6 +44,11 @@ cpes:
|
|
|
9be3b2 |
title: "Package pam is installed"
|
|
|
9be3b2 |
check_id: installed_env_has_pam_package
|
|
|
9be3b2 |
|
|
|
9be3b2 |
+ - postfix:
|
|
|
9be3b2 |
+ name: "cpe:/a:postfix"
|
|
|
9be3b2 |
+ title: "Package postfix is installed"
|
|
|
9be3b2 |
+ check_id: installed_env_has_postfix_package
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
- sssd:
|
|
|
9be3b2 |
name: "cpe:/a:sssd"
|
|
|
9be3b2 |
title: "Package sssd-common is installed"
|
|
|
9be3b2 |
diff --git a/shared/checks/oval/installed_env_has_postfix_package.xml b/shared/checks/oval/installed_env_has_postfix_package.xml
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..95ad355147b
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/shared/checks/oval/installed_env_has_postfix_package.xml
|
|
|
9be3b2 |
@@ -0,0 +1,20 @@
|
|
|
9be3b2 |
+<def-group>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ id="installed_env_has_postfix_package" version="1">
|
|
|
9be3b2 |
+ <metadata>
|
|
|
9be3b2 |
+ <title>Package postfix is installed</title>
|
|
|
9be3b2 |
+ <affected family="unix">
|
|
|
9be3b2 |
+ <platform>multi_platform_all</platform>
|
|
|
9be3b2 |
+ </affected>
|
|
|
9be3b2 |
+ <description>Checks if package postfix is installed.</description>
|
|
|
9be3b2 |
+ <reference ref_id="cpe:/a:postfix" source="CPE" />
|
|
|
9be3b2 |
+ </metadata>
|
|
|
9be3b2 |
+ <criteria>
|
|
|
9be3b2 |
+ <criterion comment="Package postfix is installed" test_ref="test_env_has_postfix_installed" />
|
|
|
9be3b2 |
+ </criteria>
|
|
|
9be3b2 |
+ </definition>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ {{{ oval_test_package_installed(package='postfix', evr='', test_id='test_env_has_postfix_installed') }}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+</def-group>
|
|
|
9be3b2 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
index ee4c156b79c..29fe687600c 100644
|
|
|
9be3b2 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
@@ -1314,7 +1314,6 @@ CCE-87228-3
|
|
|
9be3b2 |
CCE-87229-1
|
|
|
9be3b2 |
CCE-87230-9
|
|
|
9be3b2 |
CCE-87231-7
|
|
|
9be3b2 |
-CCE-87232-5
|
|
|
9be3b2 |
CCE-87233-3
|
|
|
9be3b2 |
CCE-87234-1
|
|
|
9be3b2 |
CCE-87235-8
|
|
|
9be3b2 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
index ba596f86f83..ca0097b844b 100644
|
|
|
9be3b2 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
@@ -64,8 +64,8 @@ selections:
|
|
|
9be3b2 |
- accounts_user_home_paths_only
|
|
|
9be3b2 |
- accounts_user_interactive_home_directory_defined
|
|
|
9be3b2 |
- accounts_user_interactive_home_directory_exists
|
|
|
9be3b2 |
-- aide_check_audit_tools
|
|
|
9be3b2 |
- agent_mfetpd_running
|
|
|
9be3b2 |
+- aide_check_audit_tools
|
|
|
9be3b2 |
- aide_scan_notification
|
|
|
9be3b2 |
- aide_verify_acls
|
|
|
9be3b2 |
- aide_verify_ext_attributes
|
|
|
9be3b2 |
@@ -304,6 +304,7 @@ selections:
|
|
|
9be3b2 |
- partition_for_var_log_audit
|
|
|
9be3b2 |
- partition_for_var_tmp
|
|
|
9be3b2 |
- postfix_client_configure_mail_alias
|
|
|
9be3b2 |
+- postfix_prevent_unrestricted_relay
|
|
|
9be3b2 |
- require_emergency_target_auth
|
|
|
9be3b2 |
- require_singleuser_auth
|
|
|
9be3b2 |
- root_permissions_syslibrary_files
|
|
|
9be3b2 |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
index 9db93027011..3533208c4a5 100644
|
|
|
9be3b2 |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
@@ -75,8 +75,8 @@ selections:
|
|
|
9be3b2 |
- accounts_user_home_paths_only
|
|
|
9be3b2 |
- accounts_user_interactive_home_directory_defined
|
|
|
9be3b2 |
- accounts_user_interactive_home_directory_exists
|
|
|
9be3b2 |
-- aide_check_audit_tools
|
|
|
9be3b2 |
- agent_mfetpd_running
|
|
|
9be3b2 |
+- aide_check_audit_tools
|
|
|
9be3b2 |
- aide_scan_notification
|
|
|
9be3b2 |
- aide_verify_acls
|
|
|
9be3b2 |
- aide_verify_ext_attributes
|
|
|
9be3b2 |
@@ -315,6 +315,7 @@ selections:
|
|
|
9be3b2 |
- partition_for_var_log_audit
|
|
|
9be3b2 |
- partition_for_var_tmp
|
|
|
9be3b2 |
- postfix_client_configure_mail_alias
|
|
|
9be3b2 |
+- postfix_prevent_unrestricted_relay
|
|
|
9be3b2 |
- require_emergency_target_auth
|
|
|
9be3b2 |
- require_singleuser_auth
|
|
|
9be3b2 |
- root_permissions_syslibrary_files
|