Restart postfix service and add rule has_nonlocal_mta

[dodys]

Description:

• The rule postfix_network_listening_disabled was missing a restart of postfix service in bash remediation. I didn't touch the ansible for that, hopefully some other vendor can check it and add it if needed.
• Add rule has_nonlocal_mta to actually check that the MTA is not listening on any non-loopback address ( 127.0.0.1 or ::1 )

Rationale:

• This rule relates to CIS on different distributions.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' differs.
--- xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
+++ xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
@@ -19,6 +19,8 @@
 # Clean up after ourselves.
 rm "/etc/postfix/main.cf.bak"
 
+systemctl restart postfix
+
 else
 >&2 echo 'Remediation is not applicable, nothing was done'
 fi

[marcusburghardt]

It would be great to have some test scenarios for this new rule. Could you include, please?

[dodys]

It would be great to have some test scenarios for this new rule. Could you include, please?

I'm not sure that's possible. There's no remediation on this rule.
Do you have an example for a rule like this?

[marcusburghardt]

It would be great to have some test scenarios for this new rule. Could you include, please?

I'm not sure that's possible. There's no remediation on this rule. Do you have an example for a rule like this?

The rule checks if there is a service listening on tcp/25 and binding to anything different of localhost addresses.
However, there are different MTAs which can bind the tcp/25. Therefore, I agree that a remediation for this rule would complex and likely not able to cover all possible cases. I agree to not include a remediation for this rule.

Regarding the tests, we could use postfix MTA, for example, to test the check.
For example:
1 - Ensure the postfix package is installed
2 - Edit the inet_interfaces option in /etc/postfix/main.cf file.
3 - Restart the postfix service.

For a pass test scenario this value should be enough: inet_interfaces = localhost
For a fail test scenario this value should be enough: inet_interfaces = all

In the fail test scenario we can use the # remediation = none header.

[dodys]

It would be great to have some test scenarios for this new rule. Could you include, please?

I'm not sure that's possible. There's no remediation on this rule. Do you have an example for a rule like this?

The rule checks if there is a service listening on tcp/25 and binding to anything different of localhost addresses. However, there are different MTAs which can bind the tcp/25. Therefore, I agree that a remediation for this rule would complex and likely not able to cover all possible cases. I agree to not include a remediation for this rule.

Regarding the tests, we could use postfix MTA, for example, to test the check. For example: 1 - Ensure the postfix package is installed 2 - Edit the inet_interfaces option in /etc/postfix/main.cf file. 3 - Restart the postfix service.

For a pass test scenario this value should be enough: inet_interfaces = localhost For a fail test scenario this value should be enough: inet_interfaces = all

In the fail test scenario we can use the # remediation = none header.

nice! I completely forgot about # remediation = none
let me try it then

[codeclimate]

Code Climate has analyzed commit 307508d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.8% (-0.1% change).

View more on Code Climate.

[marcusburghardt]

The testing-farm:centos-stream-8-x86_64 test error is probably unrelated to this PR but is a required test. We need to confirm.

[dodys]

/packit retest-failed

[marcusburghardt]

Automatus CS8, CS9 and Fedora tests are failing because the has_nonlocal_mta rule is restricted to ubuntu.

[marcusburghardt]

While the postfix_network_listening_disabled checks the postfix configuration, the new has_nonlocal_mta ensures there is no service listening on 25/tcp for addresses different than localhost. This rule is a useful complement for the related requirements. Thanks

[marcusburghardt]

Overriding CODEOWNERS since a SUSE approver is not currently available and @dodys can't approve his own PR.