From de575924082e17ff0e2fe537a3c72adf87942a55 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 23 Mar 2020 16:02:21 +0100
Subject: [PATCH 1/3] create rule
---
.../ansible/shared.yml | 7 +++++
.../configure_etc_hosts_deny/bash/shared.sh | 3 ++
.../configure_etc_hosts_deny/oval/shared.xml | 1 +
.../configure_etc_hosts_deny/rule.yml | 31 +++++++++++++++++++
.../tests/correct.pass.sh | 6 ++++
.../tests/file_empty.fail.sh | 6 ++++
.../tests/file_missing.fail.sh | 6 ++++
.../tests/wrong.fail.sh | 6 ++++
shared/references/cce-redhat-avail.txt | 1 -
9 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
new file mode 100644
index 0000000000..480bde9f80
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
@@ -0,0 +1,7 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}}
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
new file mode 100644
index 0000000000..e1def7a9ab
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+
+{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml
new file mode 100644
index 0000000000..de1e7261a6
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_check_config_file(path='/etc/hosts.deny', prefix_regex='^[ \\t]*', parameter='ALL:', separator_regex='[ \\t]+', value='ALL', missing_parameter_pass=false, missing_config_file_fail=true) }}}
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
new file mode 100644
index 0000000000..f81259ab25
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: ol7,rhel7
+
+title: 'Ensure /etc/hosts.deny is configured'
+
+description: |-
+ The file <tt>/etc/hosts.deny</tt> together with <tt>/etc/hosts.allow</tt> provides a
+ simple access control mechanism for network services supporting TCP wrappers.
+ The following line in the file ensures that access to services supporting this mechanism is denied to any clients
+ not mentioned in <tt>/etc/hosts.allow</tt>:
+ <pre>ALL: ALL</pre>
+
+rationale: |-
+ Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83391-3
+
+references:
+ cis@rhel7: 3.4.3
+
+ocil_clause: 'access to services supporting TCP wrappers is not properly configured'
+
+ocil: |-
+ Display contents of the file:
+ <pre>cat /etc/hosts.deny</pre>
+ Verify that the output contains the following line:
+ <pre>ALL: ALL</pre>
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh
new file mode 100644
index 0000000000..cbd4e9467a
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# this is done to ensure that we don't lose ssh connection to the machine
+echo "ALL: ALL" > /etc/hosts.allow
+# this is the actual test case
+echo "ALL: ALL" > /etc/hosts.deny
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh
new file mode 100644
index 0000000000..d61a08a119
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# this is done to ensure that we don't lose ssh connection to the machine
+echo "ALL: ALL" > /etc/hosts.allow
+# this is the actual test case
+echo "" > /etc/hosts.deny
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..78c99cc73a
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh
@@ -0,0 +1,6 @@
+#!(bin/bash
+
+# this is done to ensure that we don't lose ssh connection to the machine
+echo "ALL: ALL" > /etc/hosts.allow
+# this is the actual test case
+rm -f /etc/hosts.deny
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh
new file mode 100644
index 0000000000..efc958523d
--- /dev/null
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# this is done to ensure that we don't lose ssh connection to the machine
+echo "ALL: ALL" > /etc/hosts.allow
+# this is the actual test case
+echo "something different" > /etc/hosts.deny
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 6a2445d0bf..6c2b6aee41 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -96,7 +96,6 @@ CCE-83387-1
CCE-83388-9
CCE-83389-7
CCE-83390-5
-CCE-83391-3
CCE-83392-1
CCE-83393-9
CCE-83394-7
From bd3d76598f4790efc7d589d6f4916aa207f4aa4b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 23 Mar 2020 16:02:43 +0100
Subject: [PATCH 2/3] add rule to rhel7 cis profile
---
rhel7/profiles/cis.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 486fcf9a33..4727adaaf5 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -352,6 +352,8 @@ selections:
### 3.4.2 Ensure /etc/hosts.allow is configured (Scored)
### 3.4.3 Ensure /etc/hosts.deny is configured (Scored)
+ - configure_etc_hosts_deny
+
### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)
### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)
From d25cbb63a67af1ea749afda7c2fb7590de388538 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 24 Mar 2020 08:57:21 +0100
Subject: [PATCH 3/3] fix typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Jan Černý <jcerny@redhat.com>
---
.../obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
index f81259ab25..ea657a8f79 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
@@ -12,7 +12,7 @@ description: |-
<pre>ALL: ALL</pre>
rationale: |-
- Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism.
+ Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism.
severity: medium