Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to _guard_var templates for firewall rules on Ubuntu 24.04 #12902

Merged
merged 7 commits into from
Jan 27, 2025
Merged

Switch to _guard_var templates for firewall rules on Ubuntu 24.04 #12902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
76c428b
Make _guard_var templates applicable to all platforms
mpurg Jan 27, 2025
03ca0e6
Use new template for firewall package/service rules on Ubuntu 24.04
mpurg Jan 24, 2025
834f3fd
Modify available options for var_network_filtering_service on Ubuntu
mpurg Jan 24, 2025
7f5607e
Add tests for _guard_var templates
mpurg Jan 27, 2025
f3b56dd
Limit package_iptables_installed tests to rhel platforms
mpurg Jan 26, 2025
bc88442
Define var_network_filtering_service for Ubuntu 24.04 CIS profiles
mpurg Jan 24, 2025
f6c6de5
Remove package_nftables_removed from Ubuntu 24.04 CIS profile
mpurg Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions controls/cis_ubuntu2404.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1281,10 +1281,11 @@ controls:
- l1_workstation
rules:
- firewall_single_service_active
- var_network_filtering_service=nftables
status: automated
notes: |
Remediation is not automated.

Remediation is not automated. To select which firewall to
install and configure, use the profile variable var_network_filtering_service.

- id: 4.2.1
title: Ensure ufw is installed (Automated)
Expand Down Expand Up @@ -1463,7 +1464,6 @@ controls:
- l1_server
- l1_workstation
rules:
- package_nftables_removed
- service_nftables_disabled
status: automated

Expand Down
2 changes: 1 addition & 1 deletion linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ ocil_clause: 'the package is not installed'

ocil: '{{{ ocil_package(package="iptables") }}}'

{{%- if product in [ "sle12", "sle15" ] %}}
{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
Expand Down
1 change: 1 addition & 0 deletions ...x_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
#!/bin/bash

mkdir -p "/etc"
Expand Down
1 change: 1 addition & 0 deletions ...system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
#!/bin/bash

mkdir -p "/etc"
Expand Down
1 change: 1 addition & 0 deletions ...e/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
#!/bin/bash

mkdir -p "/etc"
Expand Down
10 changes: 9 additions & 1 deletion linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Install nftables Package'

description: |-
Expand Down Expand Up @@ -36,10 +35,19 @@ ocil: '{{{ ocil_package(package="nftables") }}}'

platform: system_with_kernel and service_disabled[iptables] and service_disabled[ufw]

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
pkgname: nftables
variable: var_network_filtering_service
value: nftables
{{%- else %}}
template:
name: package_installed
vars:
pkgname: nftables
{{%- endif %}}

fixtext: |-
{{{ describe_package_install(package="nftables") }}}
3 changes: 1 addition & 2 deletions linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Verify nftables Service is Disabled'

description: |-
Expand Down Expand Up @@ -38,7 +37,7 @@ fixtext: '{{{ fixtext_service_disabled("nftables") }}}'

platform: system_with_kernel and package[nftables] and package[firewalld]

{{%- if product in [ "sle12", "sle15" ] %}}
{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}}
template:
name: service_disabled_guard_var
vars:
Expand Down
5 changes: 1 addition & 4 deletions linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Verify nftables Service is Enabled'

description: |-
Expand Down Expand Up @@ -34,11 +33,9 @@ ocil: |-
fixtext: |-
{{{ fixtext_service_enabled("nftables") }}}


platform: system_with_kernel and package[nftables] and service_disabled[firewalld]


{{%- if product in [ "sle12", "sle15" ] %}}
{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}}
template:
name: service_enabled_guard_var
vars:
Expand Down
11 changes: 10 additions & 1 deletion linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Install ufw Package'

description: |-
Expand All @@ -25,7 +24,17 @@ ocil_clause: 'the package is not installed'

ocil: '{{{ ocil_package(package="ufw") }}}'

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
pkgname: ufw
variable: var_network_filtering_service
value: ufw
operation: pattern match
{{%- else %}}
template:
name: package_installed
vars:
pkgname: ufw
{{%- endif %}}
12 changes: 11 additions & 1 deletion linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Remove ufw Package'

description: |-
Expand All @@ -20,10 +19,21 @@ ocil_clause: 'the package is installed'

ocil: '{{{ ocil_package(package="ufw") }}}'

platform: system_with_kernel

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_removed_guard_var
vars:
pkgname: ufw
variable: var_network_filtering_service
value: ufw
{{%- else %}}
template:
name: package_removed
vars:
pkgname: ufw
{{%- endif %}}

fixtext: |-
{{{ describe_package_remove(package="ufw") }}}
14 changes: 12 additions & 2 deletions linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,19 @@ ocil_clause: 'the service is not enabled'
ocil: |-
{{{ ocil_service_enabled(service="ufw") }}}

platform: system_with_kernel and package[ufw]

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: service_enabled_guard_var
vars:
packagename: ufw
servicename: ufw
variable: var_network_filtering_service
value: ufw
{{%- else %}}
template:
name: service_enabled
vars:
servicename: ufw

platform: system_with_kernel and package[ufw]
{{%- endif %}}
8 changes: 8 additions & 0 deletions linux_os/guide/system/network/var_network_filtering_service.var
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,17 @@ operator: equals

interactive: true

{{% if 'ubuntu' in product %}}
options:
iptables: iptables
nftables: nftables
ufw: ufw
default: nftables
{{% else %}}
options:
iptables: iptables
nftables: nftables
firewalld: firewalld
ufw: ufw
default: firewalld
{{% endif %}}
2 changes: 1 addition & 1 deletion shared/templates/package_installed_guard_var/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = enable
# complexity = low
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/package_installed_guard_var/bash.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = enable
# complexity = low
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/package_installed_guard_var/oval.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
{{% endif %}}
<definition class="compliance" id="{{{ _RULE_ID }}}"
version="1">
{{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_sle"]) }}}
{{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_all"]) }}}
<criteria operator="OR" comment="package {{{ PKGNAME }}} is installed or not needed">
<criteria comment="{{{ PKGNAME }}} is not needed" operator="AND">
<criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
Expand Down
5 changes: 5 additions & 0 deletions shared/templates/package_installed_guard_var/tests/package-installed-removed.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}={{{ VALUE }}}

{{{ bash_package_install(PKGNAME) }}}
{{{ bash_package_remove(PKGNAME) }}}
4 changes: 4 additions & 0 deletions shared/templates/package_installed_guard_var/tests/package-installed.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}={{{ VALUE }}}

{{{ bash_package_install(PKGNAME) }}}
4 changes: 4 additions & 0 deletions shared/templates/package_installed_guard_var/tests/package-removed-wrong-var.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}=wrongvalue

{{{ bash_package_remove(PKGNAME) }}}
4 changes: 4 additions & 0 deletions shared/templates/package_installed_guard_var/tests/package-removed.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}={{{ VALUE }}}

{{{ bash_package_remove(PKGNAME) }}}
2 changes: 1 addition & 1 deletion shared/templates/package_removed_guard_var/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = disable
# complexity = low
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/package_removed_guard_var/bash.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = disable
# complexity = low
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/package_removed_guard_var/oval.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
{{% endif %}}
<definition class="compliance" id="{{{ _RULE_ID }}}"
version="1">
{{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_sle"]) }}}
{{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_all"]) }}}
<criteria operator="OR" comment="package {{{ PKGNAME }}} is removed or not needed">
<criteria comment="{{{ PKGNAME }}} is needed" operator="AND">
<criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
Expand Down
4 changes: 4 additions & 0 deletions shared/templates/package_removed_guard_var/tests/package-installed-correct-var.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}={{{ VALUE }}}

{{{ bash_package_install(PKGNAME) }}}
5 changes: 5 additions & 0 deletions shared/templates/package_removed_guard_var/tests/package-installed-removed.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}=wrongvalue

{{{ bash_package_install(PKGNAME) }}}
{{{ bash_package_remove(PKGNAME) }}}
4 changes: 4 additions & 0 deletions shared/templates/package_removed_guard_var/tests/package-installed.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}=wrongvalue

{{{ bash_package_install(PKGNAME) }}}
4 changes: 4 additions & 0 deletions shared/templates/package_removed_guard_var/tests/package-removed.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = {{{ VARIABLE }}}=wrongvalue

{{{ bash_package_remove(PKGNAME) }}}
2 changes: 1 addition & 1 deletion shared/templates/service_disabled_guard_var/oval.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
{{% endif %}}

<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
{{{ oval_metadata("The " + SERVICENAME + " service should be disabled.", affected_platforms=["multi_platform_sle"]) }}}
{{{ oval_metadata("The " + SERVICENAME + " service should be disabled.", affected_platforms=["multi_platform_all"]) }}}
<criteria operator="OR" comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start">
<criteria comment="{{{ PKGNAME }}} and service {{{ SERVICENAME }}} are needed" operator="AND">
<criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
Expand Down
21 changes: 21 additions & 0 deletions shared/templates/service_disabled_guard_var/tests/service_disabled.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
# packages = {{{ PACKAGENAME }}}
# variables = {{{ VARIABLE }}}=wrongvalue

SYSTEMCTL_EXEC='/usr/bin/systemctl'
# Some services use <name>@.service style that is not meant to be activated at all,
# and only used via socket activation.
if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then
"$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service'
fi
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then
"$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.socket'
"$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true
22 changes: 22 additions & 0 deletions shared/templates/service_disabled_guard_var/tests/service_enabled-var_is_value.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/bin/bash
# packages = {{{ PACKAGENAME }}}
# variables = {{{ VARIABLE }}}={{{ VALUE }}}

SYSTEMCTL_EXEC='/usr/bin/systemctl'
# Some services use <name>@.service style that is not meant to be activated at all,
# and only used via socket activation.
if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then
"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
fi
# Enable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then
"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.socket'
"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.socket'
fi

# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true
22 changes: 22 additions & 0 deletions shared/templates/service_disabled_guard_var/tests/service_enabled-var_not_value.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/bin/bash
# packages = {{{ PACKAGENAME }}}
# variables = {{{ VARIABLE }}}=wrongvalue

SYSTEMCTL_EXEC='/usr/bin/systemctl'
# Some services use <name>@.service style that is not meant to be activated at all,
# and only used via socket activation.
if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then
"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
fi
# Enable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then
"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.socket'
"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.socket'
fi

# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true
2 changes: 1 addition & 1 deletion shared/templates/service_enabled_guard_var/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = enable
# complexity = low
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/service_enabled_guard_var/bash.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = enable
# complexity = low
Expand Down
11 changes: 11 additions & 0 deletions shared/templates/service_enabled_guard_var/tests/service_disabled-var_not_value.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash
{{% if SERVICENAME == "sshd" %}}
# platform = Not Applicable
{{% endif %}}
# packages = {{{ PACKAGENAME }}}
# variables = {{{ VARIABLE }}}=wrongvalue

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
10 changes: 10 additions & 0 deletions shared/templates/service_enabled_guard_var/tests/service_disabled.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash
{{% if SERVICENAME in ["ssh", "sshd"] %}}
# platform = Not Applicable
{{% endif %}}
# packages = {{{ PACKAGENAME }}}
# variables = {{{ VARIABLE }}}={{{ VALUE }}}

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service'
"$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
Loading
Loading