From de575924082e17ff0e2fe537a3c72adf87942a55 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 23 Mar 2020 16:02:21 +0100 Subject: [PATCH 1/3] create rule --- .../ansible/shared.yml | 7 +++++ .../configure_etc_hosts_deny/bash/shared.sh | 3 ++ .../configure_etc_hosts_deny/oval/shared.xml | 1 + .../configure_etc_hosts_deny/rule.yml | 31 +++++++++++++++++++ .../tests/correct.pass.sh | 6 ++++ .../tests/file_empty.fail.sh | 6 ++++ .../tests/file_missing.fail.sh | 6 ++++ .../tests/wrong.fail.sh | 6 ++++ shared/references/cce-redhat-avail.txt | 1 - 9 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml new file mode 100644 index 0000000000..480bde9f80 --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml @@ -0,0 +1,7 @@ +# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# reboot = false +# strategy = restrict +# complexity = low +# disruption = medium + +{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}} diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh new file mode 100644 index 0000000000..e1def7a9ab --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 + +{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml new file mode 100644 index 0000000000..de1e7261a6 --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml @@ -0,0 +1 @@ +{{{ oval_check_config_file(path='/etc/hosts.deny', prefix_regex='^[ \\t]*', parameter='ALL:', separator_regex='[ \\t]+', value='ALL', missing_parameter_pass=false, missing_config_file_fail=true) }}} diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml new file mode 100644 index 0000000000..f81259ab25 --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: ol7,rhel7 + +title: 'Ensure /etc/hosts.deny is configured' + +description: |- + The file /etc/hosts.deny together with /etc/hosts.allow provides a + simple access control mechanism for network services supporting TCP wrappers. + The following line in the file ensures that access to services supporting this mechanism is denied to any clients + not mentioned in /etc/hosts.allow: + 
ALL: ALL
+ +rationale: |- + Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. + +severity: medium + +identifiers: + cce@rhel7: 83391-3 + +references: + cis@rhel7: 3.4.3 + +ocil_clause: 'access to services supporting TCP wrappers is not properly configured' + +ocil: |- + Display contents of the file: + 
cat /etc/hosts.deny
+ Verify that the output contains the following line: + 
ALL: ALL
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh new file mode 100644 index 0000000000..cbd4e9467a --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# this is done to ensure that we don't lose ssh connection to the machine +echo "ALL: ALL" > /etc/hosts.allow +# this is the actual test case +echo "ALL: ALL" > /etc/hosts.deny diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh new file mode 100644 index 0000000000..d61a08a119 --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# this is done to ensure that we don't lose ssh connection to the machine +echo "ALL: ALL" > /etc/hosts.allow +# this is the actual test case +echo "" > /etc/hosts.deny diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh new file mode 100644 index 0000000000..78c99cc73a --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh @@ -0,0 +1,6 @@ +#!(bin/bash + +# this is done to ensure that we don't lose ssh connection to the machine +echo "ALL: ALL" > /etc/hosts.allow +# this is the actual test case +rm -f /etc/hosts.deny diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh new file mode 100644 index 0000000000..efc958523d --- /dev/null +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# this is done to ensure that we don't lose ssh connection to the machine +echo "ALL: ALL" > /etc/hosts.allow +# this is the actual test case +echo "something different" > /etc/hosts.deny diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 6a2445d0bf..6c2b6aee41 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -96,7 +96,6 @@ CCE-83387-1 CCE-83388-9 CCE-83389-7 CCE-83390-5 -CCE-83391-3 CCE-83392-1 CCE-83393-9 CCE-83394-7 From bd3d76598f4790efc7d589d6f4916aa207f4aa4b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 23 Mar 2020 16:02:43 +0100 Subject: [PATCH 2/3] add rule to rhel7 cis profile --- rhel7/profiles/cis.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index 486fcf9a33..4727adaaf5 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -352,6 +352,8 @@ selections: ### 3.4.2 Ensure /etc/hosts.allow is configured (Scored) ### 3.4.3 Ensure /etc/hosts.deny is configured (Scored) + - configure_etc_hosts_deny + ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) From d25cbb63a67af1ea749afda7c2fb7590de388538 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 24 Mar 2020 08:57:21 +0100 Subject: [PATCH 3/3] fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Jan Černý --- .../obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml index f81259ab25..ea657a8f79 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml @@ -12,7 +12,7 @@ description: |- 
ALL: ALL
rationale: |- - Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. + Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism. severity: medium