Merge pull request #12628 from mpurg/ubuntu2404_cis_2_1_5

Add new rule service_dnsmasq_disabled
ComplianceAsCode · Nov 25, 2024 · 7b52a14 · 7b52a14
2 parents f12c0f4 + 5da830e
commit 7b52a14
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 2 deletions.
diff --git a/components/bind.yml b/components/bind.yml
@@ -18,3 +18,4 @@ rules:
 - package_bind_removed
 - package_dnsmasq_removed
 - service_named_disabled
+- service_dnsmasq_disabled
diff --git a/components/dnsmasq.yml b/components/dnsmasq.yml
@@ -3,3 +3,4 @@ packages:
 - dnsmasq
 rules:
 - package_dnsmasq_removed
+- service_dnsmasq_disabled
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -696,8 +696,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - package_dnsmasq_removed
+      - service_dnsmasq_disabled
+    status: automated
 
   - id: 2.1.6
     title: Ensure ftp server services are not in use (Automated)

diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Disable dnsmasq Service'
+
+description: |-
+    {{{ describe_service_disable(service="dnsmasq") }}}
+
+rationale: |-
+    Unless a system is specifically designated to act as a DNS
+    caching, DNS forwarding and/or DHCP server, it is recommended
+    that the package be removed to reduce the potential attack surface.
+
+severity: medium
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: dnsmasq
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,3 +3,4 @@ packages: @@
     - dnsmasq
     rules:
     - package_dnsmasq_removed
+    - service_dnsmasq_disabled