diff --git a/components/ufw.yml b/components/ufw.yml index ce21c4ff55f..df36a047093 100644 --- a/components/ufw.yml +++ b/components/ufw.yml @@ -4,6 +4,7 @@ name: ufw packages: - ufw rules: +- check_ufw_active - package_ufw_installed - package_ufw_removed - service_ufw_enabled diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml new file mode 100644 index 00000000000..cb71acc01ae --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +title: 'Verify ufw Active' + +description: |- + Verify the ufw is enabled on the system with the following command: +
# sudo ufw status
+ If the above command returns the status as "inactive" or any type of error, this is a finding. + +rationale: |- + Remote access services, such as those providing remote access to network devices and information systems, + which lack automated control capabilities, increase risk and make remote user access management difficult at best. + Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating + through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + Ubuntu 22.04 LTS functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. + Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by + enforcing connection rules of remote access applications on a variety of information system components. + +severity: medium + +references: + cis@ubuntu2004: 3.5.1.3 + cis@ubuntu2204: 3.5.1.3 + disa: CCI-002314 + stigid@ubuntu2004: UBTU-20-010434 + stigid@ubuntu2204: UBTU-22-251015 + +fixtext: |- + Enable the ufw by using the following command: +
$ sudo ufw enable
+ +platform: machine and package[ufw] diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh new file mode 100644 index 00000000000..4b7f4b0bd1f --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# platform = multi_platform_ubuntu +# check-import = stdout + +result=$XCCDF_RESULT_FAIL + +if ufw status | grep -qw "active"; then + result=${XCCDF_RESULT_PASS} +fi + +exit $result diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh new file mode 100644 index 00000000000..5ee51b0f77e --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh @@ -0,0 +1,5 @@ +# package = ufw + +systemctl enable --now ufw +ufw allow ssh +ufw -f enable diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh new file mode 100644 index 00000000000..fb77c940da1 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh @@ -0,0 +1,7 @@ +# package = ufw +# remediation = none + +systemctl enable --now ufw +ufw allow ssh +ufw -f enable || exit 1 +ufw disable diff --git a/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml b/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml index c9ef0599dbd..b12d2d4309c 100644 --- a/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml +++ b/linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml @@ -16,7 +16,7 @@ references: disa: CCI-002314 srg: SRG-OS-000297-GPOS-00115 stigid@ubuntu2004: UBTU-20-010434 - stigid@ubuntu2204: UBTU-22-251015 + stigid@ubuntu2204: UBTU-22-251020 ocil_clause: 'the service is not enabled' diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile index c85cf4ddc2e..f6be3192b4f 100644 --- a/products/ubuntu2004/profiles/stig.profile +++ b/products/ubuntu2004/profiles/stig.profile @@ -523,6 +523,7 @@ selections: # UBTU-20-010434 The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). - service_ufw_enabled + - check_ufw_active # UBTU-20-010435 The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). - var_time_service_set_maxpoll=36_hours diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile index f710d852a01..30973e2fc6b 100644 --- a/products/ubuntu2204/profiles/stig.profile +++ b/products/ubuntu2204/profiles/stig.profile @@ -569,11 +569,11 @@ selections: # UBTU-22-412015 The Ubuntu operating system must display the date and time of the last successful account logon upon logon. - display_login_attempts - # UBTU-22-251015 The Ubuntu operating system must have an application firewall enabled. - - service_ufw_enabled + # UBTU-22-251015 The Ubuntu operating system must enable and run the Uncomplicated Firewall (ufw). + - check_ufw_active # UBTU-22-251020 The Ubuntu operating system must have an application firewall enabled. - # same as UBTU-22-251015 + - service_ufw_enabled ### TODO # UBTU-22-291015 The Ubuntu operating system must disable all wireless network adapters.