From 2cbc694687190cadb155c5582f93a8cf91ebdc4c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 26 Aug 2021 15:04:46 +0200 Subject: [PATCH] Bug 1942281 - Set postfix rules to notapplicable when package is not installed --- .../rule.yml | 2 ++ .../rule.yml | 2 ++ .../services/mail/postfix_harden_os/group.yml | 2 ++ .../rule.yml | 3 ++- products/rhel8/profiles/stig.profile | 4 +--- products/rhel9/profiles/stig.profile | 4 +--- shared/applicability/general.yml | 5 +++++ .../installed_env_has_postfix_package.xml | 20 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/stig.profile | 3 ++- .../profile_stability/rhel8/stig_gui.profile | 3 ++- 11 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 shared/checks/oval/installed_env_has_postfix_package.xml diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml index 0faafeb0c2f..4b440e79845 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml @@ -21,3 +21,5 @@ ocil: |- Run the following command to ensure postfix routes mail to this system: 
$ grep relayhost /etc/postfix/main.cf
If properly configured, the output should show only {{{ xccdf_value("var_postfix_relayhost") }}}. + +platform: postfix diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml index 096020ef687..579db484976 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -42,3 +42,5 @@ ocil: |- Run the following command to ensure postfix accepts mail messages from only the local system: 
$ grep inet_interfaces /etc/postfix/main.cf
If properly configured, the output should show only {{{ xccdf_value("var_postfix_inet_interfaces") }}}. + +platform: postfix diff --git a/linux_os/guide/services/mail/postfix_harden_os/group.yml b/linux_os/guide/services/mail/postfix_harden_os/group.yml index 19b662508bd..8a415425e7d 100644 --- a/linux_os/guide/services/mail/postfix_harden_os/group.yml +++ b/linux_os/guide/services/mail/postfix_harden_os/group.yml @@ -6,3 +6,5 @@ description: |- The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software. + +platform: postfix diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml index 9b4c7656a85..75e4133b119 100644 --- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhel9,wrlinux1019 title: 'Prevent Unrestricted Mail Relaying' @@ -19,6 +19,7 @@ severity: medium identifiers: cce@rhel7: CCE-80512-7 cce@rhel8: CCE-84054-6 + cce@rhel9: CCE-87232-5 references: disa: CCI-000366 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index d31b251645b..5e9a2216fcd 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1160,9 +1160,7 @@ selections: - sysctl_net_core_bpf_jit_harden # RHEL-08-040290 - # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation - # there needs to be a new platform check to identify when postfix is installed or not - # - postfix_prevent_unrestricted_relay + - postfix_prevent_unrestricted_relay # RHEL-08-040300 - aide_verify_ext_attributes diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile index a40d848ee67..8d60468528d 100644 --- a/products/rhel9/profiles/stig.profile +++ b/products/rhel9/profiles/stig.profile @@ -1030,9 +1030,7 @@ selections: - sysctl_net_ipv4_conf_all_rp_filter # RHEL-08-040290 - # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation - # there needs to be a new platform check to identify when postfix is installed or not - # - postfix_prevent_unrestricted_relay + - postfix_prevent_unrestricted_relay # RHEL-08-040300 - aide_verify_ext_attributes diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml index 6e3ecfd9bf9..4163a07cbad 100644 --- a/shared/applicability/general.yml +++ b/shared/applicability/general.yml @@ -44,6 +44,11 @@ cpes: title: "Package pam is installed" check_id: installed_env_has_pam_package + - postfix: + name: "cpe:/a:postfix" + title: "Package postfix is installed" + check_id: installed_env_has_postfix_package + - sssd: name: "cpe:/a:sssd" title: "Package sssd-common is installed" diff --git a/shared/checks/oval/installed_env_has_postfix_package.xml b/shared/checks/oval/installed_env_has_postfix_package.xml new file mode 100644 index 00000000000..95ad355147b --- /dev/null +++ b/shared/checks/oval/installed_env_has_postfix_package.xml @@ -0,0 +1,20 @@ + + + + + Package postfix is installed + + multi_platform_all + + Checks if package postfix is installed. + + + + + + + + {{{ oval_test_package_installed(package='postfix', evr='', test_id='test_env_has_postfix_installed') }}} + + diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index ee4c156b79c..29fe687600c 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1314,7 +1314,6 @@ CCE-87228-3 CCE-87229-1 CCE-87230-9 CCE-87231-7 -CCE-87232-5 CCE-87233-3 CCE-87234-1 CCE-87235-8 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index ba596f86f83..ca0097b844b 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -64,8 +64,8 @@ selections: - accounts_user_home_paths_only - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists -- aide_check_audit_tools - agent_mfetpd_running +- aide_check_audit_tools - aide_scan_notification - aide_verify_acls - aide_verify_ext_attributes @@ -304,6 +304,7 @@ selections: - partition_for_var_log_audit - partition_for_var_tmp - postfix_client_configure_mail_alias +- postfix_prevent_unrestricted_relay - require_emergency_target_auth - require_singleuser_auth - root_permissions_syslibrary_files diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 9db93027011..3533208c4a5 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -75,8 +75,8 @@ selections: - accounts_user_home_paths_only - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists -- aide_check_audit_tools - agent_mfetpd_running +- aide_check_audit_tools - aide_scan_notification - aide_verify_acls - aide_verify_ext_attributes @@ -315,6 +315,7 @@ selections: - partition_for_var_log_audit - partition_for_var_tmp - postfix_client_configure_mail_alias +- postfix_prevent_unrestricted_relay - require_emergency_target_auth - require_singleuser_auth - root_permissions_syslibrary_files