From 74dfdeffe59ed7ed1e31151df3fefe98f1dc8876 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 21 Apr 2020 15:41:27 +0200
Subject: [PATCH 1/3] remove remediations, add warning
---
.../configure_etc_hosts_deny/ansible/shared.yml | 7 -------
.../configure_etc_hosts_deny/bash/shared.sh | 3 ---
.../configure_etc_hosts_deny/rule.yml | 12 ++++++++++++
3 files changed, 12 insertions(+), 10 deletions(-)
delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
deleted file mode 100644
index 480bde9f80..0000000000
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = medium
-
-{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}}
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
deleted file mode 100644
index e1def7a9ab..0000000000
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
-
-{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
index ec53cc799f..fb3143d24b 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
@@ -10,6 +10,10 @@ description: |-
The following line in the file ensures that access to services supporting this mechanism is denied to any clients
not mentioned in <tt>/etc/hosts.allow</tt>:
<pre>ALL: ALL</pre>
+ It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule.
+ If there exist services which might be affected and access to them should not be blocked,
+ modify the <tt>/etc/hosts.deny</tt> file appropriately before performing the remediation.
+
rationale: |-
Correct configuration in <tt>/etc/hosts.deny</tt> ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism.
@@ -29,3 +33,11 @@ ocil: |-
<pre>cat /etc/hosts.deny</pre>
Verify that the output contains the following line:
<pre>ALL: ALL</pre>
+
+warnings:
+ - management: |-
+ enabling this rule affects all connections to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
+ Connections to such servicesfrom any hosts which are not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
+ As the <tt>/etc/hosts.allow</tt> file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access.
+ Therefore, this rule will not be remediated automatically. For information about manual process
+ of remediation see the rule description.
From 3622b07d64f6a923143b0b5d34aa6b19571f3889 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 22 Apr 2020 12:42:20 +0200
Subject: [PATCH 2/3] fix wording
---
.../configure_etc_hosts_deny/rule.yml | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
index fb3143d24b..effed82fd8 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
@@ -12,7 +12,7 @@ description: |-
<pre>ALL: ALL</pre>
It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule.
If there exist services which might be affected and access to them should not be blocked,
- modify the <tt>/etc/hosts.deny</tt> file appropriately before performing the remediation.
+ modify the <tt>/etc/hosts.allow</tt> file appropriately before performing the remediation.
rationale: |-
@@ -35,9 +35,9 @@ ocil: |-
<pre>ALL: ALL</pre>
warnings:
- - management: |-
- enabling this rule affects all connections to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
- Connections to such servicesfrom any hosts which are not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
- As the <tt>/etc/hosts.allow</tt> file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access.
- Therefore, this rule will not be remediated automatically. For information about manual process
- of remediation see the rule description.
+ - functionality: |-
+ This rule affects all access to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
+ Connections to services originating from hosts not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
+ As the <tt>/etc/hosts.allow</tt> is empty by default, make sure it is appropriately configured before applying remediation for this rule.
+ To avoid locking down all network access to the system, this rule doesn't perform automated remediation.
+ For information about manual process of remediation see the rule description.
From 4f98610b8366c55c9e212a2cd6feeb2b4002c111 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 24 Apr 2020 11:48:57 +0200
Subject: [PATCH 3/3] fix wording
---
.../inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
index effed82fd8..f2fc86748f 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml
@@ -36,8 +36,7 @@ ocil: |-
warnings:
- functionality: |-
- This rule affects all access to serviceswhich honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
+ This rule affects all access to services which honor <tt>/etc/hosts.allow</tt> and <tt>/etc/hosts.deny</tt> files.
Connections to services originating from hosts not explicitly mentioned in <tt>/etc/hosts.allow</tt> will be rejected.
- As the <tt>/etc/hosts.allow</tt> is empty by default, make sure it is appropriately configured before applying remediation for this rule.
To avoid locking down all network access to the system, this rule doesn't perform automated remediation.
For information about manual process of remediation see the rule description.