Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Align wireless_disable_interfaces with Ubuntu 22.04 STIG #11886

Merged
merged 1 commit into from
Apr 26, 2024
Merged

Align wireless_disable_interfaces with Ubuntu 22.04 STIG #11886

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions ...tem/network/network-wireless/wireless_software/wireless_disable_interfaces/bash/ubuntu.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# platform = multi_platform_ubuntu

if command -v nmcli >/dev/null 2>&1 ; then
nmcli radio all off
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please keep the nmcli, this aligns with CIS

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, we can remove this since CIS 2.0.0 no longer uses nmcli in the remediation.

elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
interfaces=$(find /sys/class/net/*/wireless -type d -name wireless | xargs -0 dirname | xargs basename)

for i in $interfaces; do
Expand Down
16 changes: 16 additions & 0 deletions ...em/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/ubuntu.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<def-group>
<definition class="compliance" id="wireless_disable_interfaces" version="1">
{{{ oval_metadata("All wireless interfaces should be disabled.") }}}
<criteria>
<criterion comment="query /proc/net/wireless" test_ref="test_wireless_disable_interfaces" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="query /proc/net/wireless" id="test_wireless_disable_interfaces" version="1">
<ind:object object_ref="object_wireless_disable_interfaces" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_wireless_disable_interfaces" version="1">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this check is only identifying if there's any wireless interface, it is not checking if they are disabled.
The shared oval is better

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did this test to check if the interface is still listed:

# cat /proc/net/wireless 
Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
 face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22
wlp2s0: 0000   45.  -65.  -256        0      0      0      0      1        0

# ip link set wlp2s0 down

# cat /proc/net/wireless 
Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
 face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22

I did find an issue with the regex though.

<ind:filepath>/proc/net/wireless</ind:filepath>
<ind:pattern operation="pattern match">^\s*\S+:\s</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
25 changes: 25 additions & 0 deletions ...de/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ description: |-
Also remove the configuration files for every wifi adapter from
<tt>/etc/wicked/ifconfig/&lt;WIFI-INTERFACE&gt;.xml</tt> to prevent future
connections.
{{% elif 'ubuntu' in product %}}
Verify that there are no wireless interfaces configured on the system
with the following command:
<pre>$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a</pre>
{{% else %}}
Configure the system to disable all wireless network interfaces with the following command:
<pre>$ sudo nmcli radio all off</pre>
Expand Down Expand Up @@ -93,6 +97,9 @@ ocil: |-

If a wireless interface is configured it must be documented and approved by
the local Authorizing Official.
{{% elif 'ubuntu' in product %}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this if seems unnecessary as you already has the command introduced above and the note is already in the else below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't make a special conditional for ubuntu it will show the nmcli in the else statement, which is not ideal since we are not relying on nmcli.

<pre>$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a</pre>
Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.
{{% else %}}
Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

Expand All @@ -107,8 +114,26 @@ ocil: |-
{{% endif %}}

fixtext: |-
{{% if 'ubuntu' in product %}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also mention the nmcli fix

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As decided, we are moving away from the nmcli fix.

List all the wireless interfaces with the following command:
<pre>$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a</pre>
For each interface, configure the system to disable wireless network
interfaces with the following command:
<pre>$ sudo ifdown <tt>interface name</tt></pre>
For each interface listed, find their respective module with the
following command:
<pre>$ basename $(readlink -f /sys/class/net/<tt>interface name</tt>/device/driver)</pre>
where <tt>interface name</tt> must be substituted by the actual interface name.
Create a file in the <tt>/etc/modprobe.d</tt> directory and for each module,
add the following line:
<pre>install <tt>module name</tt> /bin/true</pre>
For each module from the system, execute the following command to
remove it:
<pre>$ sudo modprobe -r <tt>module name</tt></pre>
{{% else %}}
Configure the system to disable all wireless network interfaces with the following command:
<pre>$ nmcli radio all off</pre>
{{% endif %}}

srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.'

Expand Down
Loading