From 2c956496c57e4907e8ee877c303cbb952a597917 Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Wed, 22 Mar 2023 11:11:20 +0100 Subject: [PATCH 1/6] postfix_network_listening_disabled: Restart postfix service --- .../postfix_network_listening_disabled/bash/shared.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh index 93a9e58780f..befe1acf3bf 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh @@ -3,3 +3,5 @@ {{{ bash_instantiate_variables("var_postfix_inet_interfaces") }}} {{{ set_config_file(path="/etc/postfix/main.cf", parameter="inet_interfaces", value="$var_postfix_inet_interfaces", create=true, insensitive=true, separator="=", separator_regex="\s\+=\s\+", prefix_regex="^\s*") }}} + +systemctl restart postfix From aad9ed0c0c7a41c88ccf3fe2698eeb4eacbcd90c Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Wed, 22 Mar 2023 11:11:54 +0100 Subject: [PATCH 2/6] Add rule has_nonlocal_mta --- .../services/mail/has_nonlocal_mta/rule.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 linux_os/guide/services/mail/has_nonlocal_mta/rule.yml diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml new file mode 100644 index 00000000000..bdcd6d4a5fd --- /dev/null +++ b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +prodtype: ubuntu2004,ubuntu2204 + +title: 'Ensure Mail Transfer Agent is not Listening on any non-loopback Address' + +description: |- + Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to + listen for incoming mail and transfer the messages to the appropriate + user or mail server. If the system is not intended to be a mail server, + it is recommended that the MTA be configured to only process local mail. + +rationale: |- + The software for all Mail Transfer Agents is complex and most have a + long history of security issues. While it is important to ensure that + the system can process local mail messages, it is not necessary to have + the MTA's daemon listening on a port unless the server is intended to + be a mail server that receives and processes mail from other systems. + +severity: medium + +references: + cis@ubuntu2004: 2.2.15 + cis@ubuntu2204: 2.2.15 + +ocil_clause: 'MTA is listening on any non-loopback address' + +ocil: |- + Run the following command to verify that the MTA is not listening on + any non-loopback address (127.0.0.1 or ::1). + 
# ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s'
+ Nothing should be returned From d04877d49e0c153afa4bf9be4fb391285a495972 Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Wed, 22 Mar 2023 11:53:41 +0100 Subject: [PATCH 3/6] has_nonlocal_mta: Add OVAL --- .../mail/has_nonlocal_mta/oval/shared.xml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml b/linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml new file mode 100644 index 00000000000..d0d74058b74 --- /dev/null +++ b/linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml @@ -0,0 +1,27 @@ + + + {{{ oval_metadata("Verify MTA is not listening on any non-loopback address") }}} + + + + + + tcp + 127.0.0.1 + 25 + ste_not_port_25 + ste_not_on_localhost + + + 25 + + + ::1 + + + + + From 2ab45b687753e933532bed0770ddbac9b61df814 Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Wed, 22 Mar 2023 11:59:30 +0100 Subject: [PATCH 4/6] ubuntu2204: cis_level1_server: Add rule has_nonlocal_mta --- products/ubuntu2204/profiles/cis_level1_server.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/ubuntu2204/profiles/cis_level1_server.profile b/products/ubuntu2204/profiles/cis_level1_server.profile index 1af1bb5307b..6706483b514 100644 --- a/products/ubuntu2204/profiles/cis_level1_server.profile +++ b/products/ubuntu2204/profiles/cis_level1_server.profile @@ -313,6 +313,7 @@ selections: ### 2.2.15 Ensure mail transfer agent is configured for local-only mode (Automated) - var_postfix_inet_interfaces=loopback-only - postfix_network_listening_disabled + - has_nonlocal_mta ### 2.2.16 Ensure rsync service is not installed (Automated) - package_rsync_removed From bde91e910d3890278968b114cbc2e68d0b8c2ed1 Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Wed, 22 Mar 2023 12:00:11 +0100 Subject: [PATCH 5/6] ubuntu2004: cis_level1_server: Add rule has_nonlocal_mta --- products/ubuntu2004/profiles/cis_level1_server.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/ubuntu2004/profiles/cis_level1_server.profile b/products/ubuntu2004/profiles/cis_level1_server.profile index 75a363b9f7c..6491c4f95c9 100644 --- a/products/ubuntu2004/profiles/cis_level1_server.profile +++ b/products/ubuntu2004/profiles/cis_level1_server.profile @@ -283,6 +283,7 @@ selections: ### 2.2.15 Ensure mail transfer agent is configured for local-only mode (Automated) - var_postfix_inet_interfaces=loopback-only - postfix_network_listening_disabled + - has_nonlocal_mta ### 2.2.16 Ensure rsync service is not installed (Automated) - package_rsync_removed From 307508dc4754cde74710e4a479deb0f046a79701 Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Wed, 29 Mar 2023 15:25:43 +0200 Subject: [PATCH 6/6] has_nonlocal_mta: Add tests --- .../services/mail/has_nonlocal_mta/tests/correct.pass.sh | 5 +++++ .../services/mail/has_nonlocal_mta/tests/wrong.fail.sh | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh create mode 100644 linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh b/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh new file mode 100644 index 00000000000..c332f0d9cc1 --- /dev/null +++ b/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# packages = postfix + +echo "inet_interfaces = localhost" > /etc/postfix/main.cf +systemctl restart postfix diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh b/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh new file mode 100644 index 00000000000..03d0ea05a6f --- /dev/null +++ b/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = postfix +# remediation = none + +echo "inet_interfaces = all" > /etc/postfix/main.cf +systemctl restart postfix