-
Notifications
You must be signed in to change notification settings - Fork 698
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #10359 from dodys/postfix
Restart postfix service and add rule has_nonlocal_mta
- Loading branch information
Showing
7 changed files
with
74 additions
and
0 deletions.
There are no files selected for viewing
27 changes: 27 additions & 0 deletions
27
linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("Verify MTA is not listening on any non-loopback address") }}} | ||
| <criteria> | ||
| <criterion test_ref="tst_nothing_listening_external_mta_port" | ||
| comment="mta is not listening on any non-loopbackaddress" /> | ||
| </criteria> | ||
| </definition> | ||
| <linux:inetlisteningservers_object id="obj_listening_port_25" version="1"> | ||
| <linux:protocol>tcp</linux:protocol> | ||
| <linux:local_address operation="not equal">127.0.0.1</linux:local_address> | ||
| <linux:local_port datatype="int">25</linux:local_port> | ||
| <filter action="exclude">ste_not_port_25</filter> | ||
| <filter action="exclude">ste_not_on_localhost</filter> | ||
| </linux:inetlisteningservers_object> | ||
| <linux:inetlisteningservers_state id="ste_not_port_25" version="1"> | ||
| <linux:local_port datatype="int" operation="not equal">25</linux:local_port> | ||
| </linux:inetlisteningservers_state> | ||
| <linux:inetlisteningservers_state id="ste_not_on_localhost" version="1"> | ||
| <linux:local_address operation="equals">::1</linux:local_address> | ||
| </linux:inetlisteningservers_state> | ||
| <linux:inetlisteningservers_test check="all" check_existence="none_exist" | ||
| id="tst_nothing_listening_external_mta_port" version="1" | ||
| comment="mta is not listening on any non-loopback address"> | ||
| <linux:object object_ref="obj_listening_port_25" /> | ||
| </linux:inetlisteningservers_test> | ||
| </def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: ubuntu2004,ubuntu2204 | ||
|
|
||
| title: 'Ensure Mail Transfer Agent is not Listening on any non-loopback Address' | ||
|
|
||
| description: |- | ||
| Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to | ||
| listen for incoming mail and transfer the messages to the appropriate | ||
| user or mail server. If the system is not intended to be a mail server, | ||
| it is recommended that the MTA be configured to only process local mail. | ||
| rationale: |- | ||
| The software for all Mail Transfer Agents is complex and most have a | ||
| long history of security issues. While it is important to ensure that | ||
| the system can process local mail messages, it is not necessary to have | ||
| the MTA's daemon listening on a port unless the server is intended to | ||
| be a mail server that receives and processes mail from other systems. | ||
| severity: medium | ||
|
|
||
| references: | ||
| cis@ubuntu2004: 2.2.15 | ||
| cis@ubuntu2204: 2.2.15 | ||
|
|
||
| ocil_clause: 'MTA is listening on any non-loopback address' | ||
|
|
||
| ocil: |- | ||
| Run the following command to verify that the MTA is not listening on | ||
| any non-loopback address (127.0.0.1 or ::1). | ||
| <pre># ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s'</pre> | ||
| Nothing should be returned |
5 changes: 5 additions & 0 deletions
5
linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| #!/bin/bash | ||
| # packages = postfix | ||
|
|
||
| echo "inet_interfaces = localhost" > /etc/postfix/main.cf | ||
| systemctl restart postfix |
6 changes: 6 additions & 0 deletions
6
linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
| # packages = postfix | ||
| # remediation = none | ||
|
|
||
| echo "inet_interfaces = all" > /etc/postfix/main.cf | ||
| systemctl restart postfix |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters