From a99b885fc6728e8eee33ae4be6c86f9795dd5754 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Thu, 25 Apr 2024 11:20:55 +0200 Subject: [PATCH] Align wireless_disable_interfaces with Ubuntu 22.04 STIG - Created Ubuntu-specific OVAL to check /proc/net/wireless for enabled interfaces. The existing implementation relies on the interface name starting with "wl", which could be overriden. - Modified remediation to disable the driver modules as suggested by CIS and STIG, instead of disabling wifi using nmcli. --- .../bash/ubuntu.sh | 4 +-- .../oval/ubuntu.xml | 16 ++++++++++++ .../wireless_disable_interfaces/rule.yml | 25 +++++++++++++++++++ 3 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/ubuntu.xml diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/bash/ubuntu.sh b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/bash/ubuntu.sh index 3232817e518..e083dbf03ae 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/bash/ubuntu.sh +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/bash/ubuntu.sh @@ -1,8 +1,6 @@ # platform = multi_platform_ubuntu -if command -v nmcli >/dev/null 2>&1 ; then - nmcli radio all off -elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then +if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then interfaces=$(find /sys/class/net/*/wireless -type d -name wireless | xargs -0 dirname | xargs basename) for i in $interfaces; do diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/ubuntu.xml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/ubuntu.xml new file mode 100644 index 00000000000..a0a9b8dc49c --- /dev/null +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/ubuntu.xml @@ -0,0 +1,16 @@ + + + {{{ oval_metadata("All wireless interfaces should be disabled.") }}} + + + + + + + + + /proc/net/wireless + ^\s*\S+:\s + 1 + + diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index 7a55c61fa57..bc2af847731 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -14,6 +14,10 @@ description: |- Also remove the configuration files for every wifi adapter from /etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future connections. + {{% elif 'ubuntu' in product %}} + Verify that there are no wireless interfaces configured on the system + with the following command: +
$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a
{{% else %}} Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
@@ -93,6 +97,9 @@ ocil: |- If a wireless interface is configured it must be documented and approved by the local Authorizing Official. + {{% elif 'ubuntu' in product %}} +
$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a
+ Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. {{% else %}} Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. @@ -107,8 +114,26 @@ ocil: |- {{% endif %}} fixtext: |- + {{% if 'ubuntu' in product %}} + List all the wireless interfaces with the following command: +
$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a
+ For each interface, configure the system to disable wireless network + interfaces with the following command: +
$ sudo ifdown interface name
+ For each interface listed, find their respective module with the + following command: +
$ basename $(readlink -f /sys/class/net/interface name/device/driver)
+ where interface name must be substituted by the actual interface name. + Create a file in the /etc/modprobe.d directory and for each module, + add the following line: +
install module name /bin/true
+ For each module from the system, execute the following command to + remove it: +
$ sudo modprobe -r module name
+ {{% else %}} Configure the system to disable all wireless network interfaces with the following command:
$ nmcli radio all off
+ {{% endif %}} srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.'