diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index c0b809c6ca8..bda6d8a919b 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1281,10 +1281,11 @@ controls: - l1_workstation rules: - firewall_single_service_active + - var_network_filtering_service=nftables status: automated notes: | - Remediation is not automated. - + Remediation is not automated. To select which firewall to + install and configure, use the profile variable var_network_filtering_service. - id: 4.2.1 title: Ensure ufw is installed (Automated) @@ -1463,7 +1464,6 @@ controls: - l1_server - l1_workstation rules: - - package_nftables_removed - service_nftables_disabled status: automated diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml index d03f8a31592..8d37eeb4cdf 100644 --- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml +++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml @@ -36,7 +36,7 @@ ocil_clause: 'the package is not installed' ocil: '{{{ ocil_package(package="iptables") }}}' -{{%- if product in [ "sle12", "sle15" ] %}} +{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}} template: name: package_installed_guard_var vars: diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh index 5db04a393cc..784d5722bcc 100644 --- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh +++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh @@ -1,3 +1,4 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos #!/bin/bash mkdir -p "/etc" diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh index 6d7ba1ce515..3b1d0fafd8c 100644 --- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh +++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh @@ -1,3 +1,4 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos #!/bin/bash mkdir -p "/etc" diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh index 7908a3b970d..d6394d7b10a 100644 --- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh +++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh @@ -1,3 +1,4 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos #!/bin/bash mkdir -p "/etc" diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml index d54541261b0..0eda5bb9ae6 100644 --- a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml +++ b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Install nftables Package' description: |- @@ -36,10 +35,19 @@ ocil: '{{{ ocil_package(package="nftables") }}}' platform: system_with_kernel and service_disabled[iptables] and service_disabled[ufw] +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: package_installed_guard_var + vars: + pkgname: nftables + variable: var_network_filtering_service + value: nftables +{{%- else %}} template: name: package_installed vars: pkgname: nftables +{{%- endif %}} fixtext: |- {{{ describe_package_install(package="nftables") }}} diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml index 45fa774a56c..85a5cf9617b 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Verify nftables Service is Disabled' description: |- @@ -38,7 +37,7 @@ fixtext: '{{{ fixtext_service_disabled("nftables") }}}' platform: system_with_kernel and package[nftables] and package[firewalld] -{{%- if product in [ "sle12", "sle15" ] %}} +{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}} template: name: service_disabled_guard_var vars: diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml index 37addf11a5c..30ea1f37261 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Verify nftables Service is Enabled' description: |- @@ -34,11 +33,9 @@ ocil: |- fixtext: |- {{{ fixtext_service_enabled("nftables") }}} - platform: system_with_kernel and package[nftables] and service_disabled[firewalld] - -{{%- if product in [ "sle12", "sle15" ] %}} +{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}} template: name: service_enabled_guard_var vars: diff --git a/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml b/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml index 9a0cfbb2541..e1c8b2aedb3 100644 --- a/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml +++ b/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Install ufw Package' description: |- @@ -25,7 +24,17 @@ ocil_clause: 'the package is not installed' ocil: '{{{ ocil_package(package="ufw") }}}' +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: package_installed_guard_var + vars: + pkgname: ufw + variable: var_network_filtering_service + value: ufw + operation: pattern match +{{%- else %}} template: name: package_installed vars: pkgname: ufw +{{%- endif %}} diff --git a/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml b/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml index 426d628dda9..07c37c17427 100644 --- a/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml +++ b/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Remove ufw Package' description: |- @@ -20,10 +19,21 @@ ocil_clause: 'the package is installed' ocil: '{{{ ocil_package(package="ufw") }}}' +platform: system_with_kernel + +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: package_removed_guard_var + vars: + pkgname: ufw + variable: var_network_filtering_service + value: ufw +{{%- else %}} template: name: package_removed vars: pkgname: ufw +{{%- endif %}} fixtext: |- {{{ describe_package_remove(package="ufw") }}} diff --git a/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml b/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml index b899e5b54ac..7b65b827b66 100644 --- a/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml +++ b/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml @@ -23,9 +23,19 @@ ocil_clause: 'the service is not enabled' ocil: |- {{{ ocil_service_enabled(service="ufw") }}} +platform: system_with_kernel and package[ufw] + +{{%- if product in [ "ubuntu2404" ] %}} +template: + name: service_enabled_guard_var + vars: + packagename: ufw + servicename: ufw + variable: var_network_filtering_service + value: ufw +{{%- else %}} template: name: service_enabled vars: servicename: ufw - -platform: system_with_kernel and package[ufw] +{{%- endif %}} diff --git a/linux_os/guide/system/network/var_network_filtering_service.var b/linux_os/guide/system/network/var_network_filtering_service.var index 353caac8cd7..cfd4c1e64a5 100644 --- a/linux_os/guide/system/network/var_network_filtering_service.var +++ b/linux_os/guide/system/network/var_network_filtering_service.var @@ -11,9 +11,17 @@ operator: equals interactive: true +{{% if 'ubuntu' in product %}} +options: + iptables: iptables + nftables: nftables + ufw: ufw + default: nftables +{{% else %}} options: iptables: iptables nftables: nftables firewalld: firewalld ufw: ufw default: firewalld +{{% endif %}} diff --git a/shared/templates/package_installed_guard_var/ansible.template b/shared/templates/package_installed_guard_var/ansible.template index 69f30446458..7b985660e37 100644 --- a/shared/templates/package_installed_guard_var/ansible.template +++ b/shared/templates/package_installed_guard_var/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/package_installed_guard_var/bash.template b/shared/templates/package_installed_guard_var/bash.template index 86b03c61821..4facfb0c110 100644 --- a/shared/templates/package_installed_guard_var/bash.template +++ b/shared/templates/package_installed_guard_var/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/package_installed_guard_var/oval.template b/shared/templates/package_installed_guard_var/oval.template index 279a1e1eca2..574d1f27ec0 100644 --- a/shared/templates/package_installed_guard_var/oval.template +++ b/shared/templates/package_installed_guard_var/oval.template @@ -7,7 +7,7 @@ {{% endif %}} - {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_sle"]) }}} + {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_all"]) }}} - {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_sle"]) }}} + {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_all"]) }}} - {{{ oval_metadata("The " + SERVICENAME + " service should be disabled.", affected_platforms=["multi_platform_sle"]) }}} + {{{ oval_metadata("The " + SERVICENAME + " service should be disabled.", affected_platforms=["multi_platform_all"]) }}} @.service style that is not meant to be activated at all, +# and only used via socket activation. +if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then + "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service' + "$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service' + "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service' +fi +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then + "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.socket' + "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true diff --git a/shared/templates/service_disabled_guard_var/tests/service_enabled-var_is_value.pass.sh b/shared/templates/service_disabled_guard_var/tests/service_enabled-var_is_value.pass.sh new file mode 100644 index 00000000000..abbc57c0877 --- /dev/null +++ b/shared/templates/service_disabled_guard_var/tests/service_enabled-var_is_value.pass.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# packages = {{{ PACKAGENAME }}} +# variables = {{{ VARIABLE }}}={{{ VALUE }}} + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +# Some services use @.service style that is not meant to be activated at all, +# and only used via socket activation. +if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then + "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service' + "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service' + "$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service' +fi +# Enable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then + "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.socket' + "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.socket' +fi + +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true diff --git a/shared/templates/service_disabled_guard_var/tests/service_enabled-var_not_value.fail.sh b/shared/templates/service_disabled_guard_var/tests/service_enabled-var_not_value.fail.sh new file mode 100644 index 00000000000..de960d3d4ce --- /dev/null +++ b/shared/templates/service_disabled_guard_var/tests/service_enabled-var_not_value.fail.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# packages = {{{ PACKAGENAME }}} +# variables = {{{ VARIABLE }}}=wrongvalue + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +# Some services use @.service style that is not meant to be activated at all, +# and only used via socket activation. +if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then + "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service' + "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service' + "$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service' +fi +# Enable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then + "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.socket' + "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.socket' +fi + +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true diff --git a/shared/templates/service_enabled_guard_var/ansible.template b/shared/templates/service_enabled_guard_var/ansible.template index 74ad34e16ca..3fdd48b10a7 100644 --- a/shared/templates/service_enabled_guard_var/ansible.template +++ b/shared/templates/service_enabled_guard_var/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/service_enabled_guard_var/bash.template b/shared/templates/service_enabled_guard_var/bash.template index 12f12bac454..c134a218176 100644 --- a/shared/templates/service_enabled_guard_var/bash.template +++ b/shared/templates/service_enabled_guard_var/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/service_enabled_guard_var/tests/service_disabled-var_not_value.pass.sh b/shared/templates/service_enabled_guard_var/tests/service_disabled-var_not_value.pass.sh new file mode 100644 index 00000000000..267542928a9 --- /dev/null +++ b/shared/templates/service_enabled_guard_var/tests/service_disabled-var_not_value.pass.sh @@ -0,0 +1,11 @@ +#!/bin/bash +{{% if SERVICENAME == "sshd" %}} +# platform = Not Applicable +{{% endif %}} +# packages = {{{ PACKAGENAME }}} +# variables = {{{ VARIABLE }}}=wrongvalue + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service' +"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service' +"$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service' diff --git a/shared/templates/service_enabled_guard_var/tests/service_disabled.fail.sh b/shared/templates/service_enabled_guard_var/tests/service_disabled.fail.sh new file mode 100644 index 00000000000..2a3ff0e3eaa --- /dev/null +++ b/shared/templates/service_enabled_guard_var/tests/service_disabled.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +{{% if SERVICENAME in ["ssh", "sshd"] %}} +# platform = Not Applicable +{{% endif %}} +# packages = {{{ PACKAGENAME }}} +# variables = {{{ VARIABLE }}}={{{ VALUE }}} + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service' +"$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service' diff --git a/shared/templates/service_enabled_guard_var/tests/service_enabled.pass.sh b/shared/templates/service_enabled_guard_var/tests/service_enabled.pass.sh new file mode 100644 index 00000000000..0fe467eceaa --- /dev/null +++ b/shared/templates/service_enabled_guard_var/tests/service_enabled.pass.sh @@ -0,0 +1,11 @@ +#!/bin/bash +{{% if SERVICENAME == "sshd" %}} +# platform = Not Applicable +{{% endif %}} +# packages = {{{ PACKAGENAME }}} +# variables = {{{ VARIABLE }}}={{{ VALUE }}} + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service' +"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service' +"$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'