From 6f675aad7c19f31ed4e8120e716b93fe559ba937 Mon Sep 17 00:00:00 2001
From: alanmcanonical <alan.moore@canonical.com>
Date: Thu, 9 May 2024 11:19:12 +0100
Subject: [PATCH 1/3] Check ufw is active Only check whether the ufw is active
 after ufw service is enable instead of configuring the ufw.

---
 components/ufw.yml                            |  1 +
 .../network-ufw/check_ufw_active/rule.yml     | 30 +++++++++++++++++++
 .../check_ufw_active/sce/shared.sh            | 11 +++++++
 .../check_ufw_active/tests/correct.pass.sh    |  5 ++++
 .../check_ufw_active/tests/incorrect.fail.sh  |  7 +++++
 .../network-ufw/service_ufw_enabled/rule.yml  |  2 +-
 products/ubuntu2204/profiles/stig.profile     |  6 ++--
 7 files changed, 58 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
 create mode 100644 linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh

diff --git a/components/ufw.yml b/components/ufw.yml
index ce21c4ff55f..df36a047093 100644
--- a/components/ufw.yml
+++ b/components/ufw.yml
@@ -4,6 +4,7 @@ name: ufw
 packages:
 - ufw
 rules:
+- check_ufw_active
 - package_ufw_installed
 - package_ufw_removed
 - service_ufw_enabled
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
new file mode 100644
index 00000000000..920e62c3e7b
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'Verify ufw Active'
+
+description: |-
+    Verify the ufw is enabled on the system with the following command:
+    <pre># sudo ufw status</pre>
+    If the above command returns the status as "inactive" or any type of error, this is a finding.
+
+rationale: |-
+    Remote access services, such as those providing remote access to network devices and information systems, 
+    which lack automated control capabilities, increase risk and make remote user access management difficult at best.  
+    Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating 
+    through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.  
+    Ubuntu 22.04 LTS functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. 
+    Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by 
+    enforcing connection rules of remote access applications on a variety of information system components.
+
+severity: medium
+
+references:
+    cis@ubuntu2004: 3.5.1.3
+    cis@ubuntu2204: 3.5.1.3
+    disa: CCI-002314
+    stigid@ubuntu2204: UBTU-22-251015
+
+fixtext: |-
+    Enable the ufw by using the following command:  
+    <pre>$ sudo ufw enable</pre>
+platform: machine and package[ufw]
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh
new file mode 100644
index 00000000000..4b7f4b0bd1f
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+result=$XCCDF_RESULT_FAIL
+
+if ufw status | grep -qw "active"; then
+    result=${XCCDF_RESULT_PASS}
+fi
+
+exit $result
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh
new file mode 100644
index 00000000000..5ee51b0f77e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh
@@ -0,0 +1,5 @@
+# package = ufw
+
+systemctl enable --now ufw
+ufw allow ssh
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh
new file mode 100644
index 00000000000..fb77c940da1
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh
@@ -0,0 +1,7 @@
+# package = ufw
+# remediation = none
+
+systemctl enable --now ufw
+ufw allow ssh
+ufw -f enable || exit 1
+ufw disable
diff --git a/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml b/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml
index c9ef0599dbd..b12d2d4309c 100644
--- a/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml
@@ -16,7 +16,7 @@ references:
     disa: CCI-002314
     srg: SRG-OS-000297-GPOS-00115
     stigid@ubuntu2004: UBTU-20-010434
-    stigid@ubuntu2204: UBTU-22-251015
+    stigid@ubuntu2204: UBTU-22-251020
 
 ocil_clause: 'the service is not enabled'
 
diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile
index f710d852a01..30973e2fc6b 100644
--- a/products/ubuntu2204/profiles/stig.profile
+++ b/products/ubuntu2204/profiles/stig.profile
@@ -569,11 +569,11 @@ selections:
     # UBTU-22-412015 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
     - display_login_attempts
 
-    # UBTU-22-251015 The Ubuntu operating system must have an application firewall enabled.
-    - service_ufw_enabled
+    # UBTU-22-251015 The Ubuntu operating system must enable and run the Uncomplicated Firewall (ufw).
+    - check_ufw_active
 
     # UBTU-22-251020 The Ubuntu operating system must have an application firewall enabled.
-    # same as UBTU-22-251015
+    - service_ufw_enabled
 
     ### TODO
     # UBTU-22-291015 The Ubuntu operating system must disable all wireless network adapters.

From 80c672ae6f61b696f05dbbbe23da9a5b3eb085d4 Mon Sep 17 00:00:00 2001
From: alanmcanonical <alan.moore@canonical.com>
Date: Fri, 10 May 2024 10:48:39 +0100
Subject: [PATCH 2/3] Add a new line

---
 .../guide/system/network/network-ufw/check_ufw_active/rule.yml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
index 920e62c3e7b..d15a9485e20 100644
--- a/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
@@ -27,4 +27,5 @@ references:
 fixtext: |-
     Enable the ufw by using the following command:  
     <pre>$ sudo ufw enable</pre>
+
 platform: machine and package[ufw]

From 4e3f121869bdba6853cbcb0c34638f56a5ad9eaa Mon Sep 17 00:00:00 2001
From: alanmcanonical <alan.moore@canonical.com>
Date: Mon, 13 May 2024 15:00:53 +0100
Subject: [PATCH 3/3] Insert the rule into ubuntu 2004 stig profile

---
 .../guide/system/network/network-ufw/check_ufw_active/rule.yml   | 1 +
 products/ubuntu2004/profiles/stig.profile                        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
index d15a9485e20..cb71acc01ae 100644
--- a/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml
@@ -22,6 +22,7 @@ references:
     cis@ubuntu2004: 3.5.1.3
     cis@ubuntu2204: 3.5.1.3
     disa: CCI-002314
+    stigid@ubuntu2004: UBTU-20-010434
     stigid@ubuntu2204: UBTU-22-251015
 
 fixtext: |-
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index c85cf4ddc2e..f6be3192b4f 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -523,6 +523,7 @@ selections:
 
     # UBTU-20-010434 The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).
     - service_ufw_enabled
+    - check_ufw_active
 
     # UBTU-20-010435 The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
     - var_time_service_set_maxpoll=36_hours