Introduce network access control rule

linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml

@@ -46,7 +46,6 @@ references:
  pcidss: Req-1.4
  pcidss4: "1.5.1"
  srg: SRG-OS-000480-GPOS-00227
- stigid@ol7: OL07-00-040810
  stigid@rhel7: RHEL-07-040810
 
 ocil_clause: 'the default zone is not set to DROP'

linux_os/guide/system/network/network_implement_access_control/oval/shared.xml

@@ -0,0 +1,101 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Configure the access control program to grant or deny access to
+ specific hosts and services") }}}
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <extend_definition comment="package firewalld installed" definition_ref="package_firewalld_installed" />
+ <extend_definition comment="service firewalld enabled" definition_ref="service_firewalld_enabled" />
+ <criteria operator="OR">
+ <criterion comment="firewalld's default zone is configured to grant access to
+ specific hosts" test_ref="test_firewalld_default_zone_hosts_configured" />
+ <criterion comment="firewalld's default zone is configured to grant access to
+ specific services" test_ref="test_firewalld_default_zone_services_configured" />
+ </criteria>
+ </criteria>
+ <criteria operator="OR">
+ <criterion comment="tcpwrappers allow list is configured"
+ test_ref="test_tcpwrappers_allow_list_not_empty" />
+ <criterion comment="tcpwrappers deny list is configured"
+ test_ref="test_tcpwrappers_deny_list_not_empty" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <local_variable id="var_firewalld_default_zone_filename" datatype="int" version="1"
+ comment="Name of the zone definition file">
+ <concat>
+ <object_component item_field="subexpression" object_ref="obj_firewalld_default_zone"/>
+ <literal_component>.xml</literal_component>
+ </concat>
+ </local_variable>
+
+ <ind:textfilecontent54_test id="test_tcpwrappers_allow_list_not_empty" check="all"
+ check_existence="all_exist" comment="check if /etc/hosts.allow is empty" version="1">
+ <ind:object object_ref="obj_file_empty_hosts_allow"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_file_empty_hosts_allow" version="1">
+ <ind:filepath>/etc/hosts.allow</ind:filepath>
+ <ind:pattern operation="pattern match">^[^#]+</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test id="test_tcpwrappers_deny_list_not_empty" check="all"
+ check_existence="all_exist" comment="check if /etc/hosts.deny is empty" version="1">
+ <ind:object object_ref="obj_file_empty_hosts_deny"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_file_empty_hosts_deny" version="1">
+ <ind:filepath>/etc/hosts.deny</ind:filepath>
+ <ind:pattern operation="pattern match">^[^#]+</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_firewalld_default_zone" version="1">
+ <ind:filepath>/etc/firewalld/firewalld.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*DefaultZone=(\w+)$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="any_exist"
+ comment="check if firewalld's default zone is configured to grant access to specific hosts"
+ id="test_firewalld_default_zone_hosts_configured" version="1">
+ <ind:object object_ref="obj_firewalld_public_zone_hosts_configured" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_firewalld_public_zone_hosts_configured"
+ version="1">
+ <ind:path operation="pattern match">^/(etc|usr/lib)/firewalld/zones/</ind:path>
+ <ind:filename var_ref="var_firewalld_default_zone_filename"></ind:filename>
+ <ind:pattern operation="pattern match">^[\s]+&lt;source (address|mac|ipset)="[\w:]+"[\s]*/&gt;$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="any_exist"
+ comment="check if firewalld's default zone is configured to grant access to specific services"
+ id="test_firewalld_default_zone_services_configured" version="1">
+ <ind:object object_ref="obj_firewalld_public_zone_services_configured" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_firewalld_public_zone_services_configured"
+ version="1">
+ <ind:path operation="pattern match">^/(etc|usr/lib)/firewalld/zones/</ind:path>
+ <ind:filename var_ref="var_firewalld_default_zone_filename"></ind:filename>
+ <ind:pattern operation="pattern match">^[\s]+&lt;service name="\w+"[\s]*/&gt;$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check if there is an user-defined public zone definition file"
+ id="test_no_user_defined_public_zone_file" version="1">
+ <ind:object object_ref="obj_no_user_defined_public_zone_file" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_no_user_defined_public_zone_file"
+ version="1">
+ <ind:filepath>/etc/firewalld/zones/public.xml</ind:filepath>
+ <ind:pattern operation="pattern match">.*</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/network/network_implement_access_control/rule.yml

@@ -0,0 +1,88 @@
+documentation_complete: true
+
+prodtype: ol7,ol8
+
+title: 'Grant Or Deny System Access To Specific Hosts And Services'
+
+description: |-
+ To verify the system's access control program is configured
+ to grant or deny system access to specific hosts check to see
+ if "firewalld" is active with the following command:
+
+ <pre># systemctl status firewalld
+ firewalld.service - firewalld - dynamic firewall daemon
+ Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
+ Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago</pre>
+
+ If "firewalld" is active, check to see if it is configured to grant or deny
+ access to specific hosts or services with the following commands:
+
+ <pre># firewall-cmd --get-default-zone
+ public
+
+ # firewall-cmd --list-all --zone=public
+ public (active)
+ target: default
+ icmp-block-inversion: no
+ interfaces: eth0
+ sources:
+ services: mdns ssh
+ ports:
+ protocols:
+ masquerade: no
+ forward-ports:
+ icmp-blocks:</pre>
+
+ If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking
+ whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:
+
+ <pre># ls -al /etc/hosts.allow
+ rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow
+
+ # ls -al /etc/hosts.deny
+ -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny</pre>
+
+ If "firewalld" and "tcpwrappers" are not installed, configured, and active,
+ ask the SA if another access control program (such as iptables) is installed
+ and active.
+
+ Ask the SA to show that the running configuration grants or denies access
+ to specific hosts or services.
+
+ If "firewalld" is active and is not configured to grant access to specific
+ hosts or "tcpwrappers" is not configured to grant or deny access to
+ specific hosts, this is a finding.
+
+rationale: |-
+ If the systems access control program is not configured with appropriate
+ rules for allowing and denying access to system network resources,
+ services may be accessible to unauthorized hosts.
+
+severity: medium
+
+references:
+ disa: CCI-000366
+ nist: CM-6 b,CM-6.1(iv)
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@ol7: OL07-00-040810
+
+ocil_clause: 'the system access control program is not configured'
+
+ocil: |-
+ To verify there is a system access control program configured
+ to grant or deny system access to specific hosts check to see
+ if "firewalld" is active and the default zone is "public".
+
+ If "firewalld" is not active, determine whether "tcpwrappers"
+ is being used by checking whether the "hosts.allow" and "hosts.deny"
+ files are empty.
+
+ If "firewalld" is not active and configured, and the "hosts.allow" and
+ "hosts.deny" files are empty, this is a finding.
+
+warnings:
+ - general: |-
+ This rule checks that either firewalld or tcpwrappers are being used
+ to restrict system access to some hosts and/or services. It does not
+ check for any specific hosts/services. Make sure that the allowed
+ hosts/services meet your operational needs.

linux_os/guide/system/network/network_implement_access_control/tests/correct_firewalld_config_hosts.pass.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = firewalld
+
+systemctl enable firewalld
+systemctl start firewalld
+
+firewall-cmd --set-default-zone=public
+
+firewall-cmd --permanent \
+ --zone=public \
+ --add-source="192.168.122.25" \
+ --add-source="192.168.122.28"
+

linux_os/guide/system/network/network_implement_access_control/tests/correct_firewalld_config_services_user_defined_zonefile.pass.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = firewalld
+
+systemctl enable firewalld
+systemctl start firewalld
+
+firewall-cmd --permanent --new-zone=myzone
+firewall-cmd \
+ --permanent \
+ --zone=myzone \
+ --add-service="ssh" \
+ --add-service="dhcp"
+
+systemctl restart firewalld
+
+firewall-cmd --set-default-zone=myzone

linux_os/guide/system/network/network_implement_access_control/tests/correct_tcpwrappers_allow_config.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = firewalld
+
+systemctl stop firewalld
+systemctl disable firewalld
+
+echo "192.168.122.25" >> /etc/hosts.allow

linux_os/guide/system/network/network_implement_access_control/tests/correct_tcpwrappers_deny_config.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = firewalld
+
+systemctl stop firewalld
+systemctl disable firewalld
+
+echo "192.168.122.25" >> /etc/hosts.deny

linux_os/guide/system/network/network_implement_access_control/tests/no_network_access_control.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = firewalld
+# remediation = none
+
+systemctl stop firewalld
+systemctl disable firewalld
+
+truncate -s 0 /etc/hosts.{allow,deny}

products/ol7/profiles/stig.profile

@@ -278,7 +278,6 @@ selections:
  - sysctl_net_ipv4_ip_forward
  - mount_option_krb_sec_remote_filesystems
  - snmpd_not_default_password
- - set_firewalld_default_zone
  - libreswan_approved_tunnels
  - sysctl_net_ipv6_conf_all_accept_source_route
  - install_smartcard_packages
@@ -339,3 +338,4 @@ selections:
  - ensure_oracle_gpgkey_installed
  - dconf_gnome_disable_user_list
  - package_mailx_installed
+ - network_implement_access_control