Skip to content

Commit

Permalink
Add remediation for RHEL-08-040090
Browse files Browse the repository at this point in the history
It _appears_ that the OSCAP content already takes care of this, but this
will still show up on _some_ hardening-scans. Adding this state to make
it easier to point to code that, "yes, watchmaker _is_ setting this,
appropriately"

Closes #422
  • Loading branch information
ferricoxide committed Jul 3, 2023
1 parent a62d215 commit 0920137
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 0 deletions.
69 changes: 69 additions & 0 deletions ash-linux/el8/STIGbyID/cat2/RHEL-08-040090.sls
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Ref Doc: STIG - RHEL 8 v1r10
# Finding ID: V-230238
# Rule ID: SV-230504r854047_rule
# STIG ID: RHEL-08-040090
# SRG ID: SRG-OS-000297-GPOS-00115
#
# Finding Level: medium
#
# Rule Summary:
# The operating system must enable a firewall service that employs
# a deny-all, allow-by-exception policy for allowing connections to
# other systems.
#
# References:
# CCI:
# - CCI-002314
# NIST SP 800-53 Revision 4 :: AC-17 (1)
#
###########################################################################
{%- set stig_id = 'RHEL-08-040090' %}
{%- set helperLoc = 'ash-linux/el8/STIGbyID/cat2/files' %}
{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
{%- set firewalldConf = '/etc/firewalld/firewalld.conf' %}
{%- set firewalldParm = 'DefaultZone' %}
{%- set firewalldValu = salt.pillar.get('ash-linux:lookup:def_firewall_zone', 'drop') %}
{%- set firewalldSafePorts = salt.pillar.get('ash-linux:lookup:def_firewall_ports', [] ) %}
{%- set firewalldSafeSvcs = salt.pillar.get('ash-linux:lookup:def_firewall_services', [ 'ssh', ] ) %}

script_{{ stig_id }}-describe:
cmd.script:
- source: salt://{{ helperLoc }}/{{ stig_id }}.sh
- cwd: /root

{%- if stig_id in skipIt %}
notify_{{ stig_id }}-skipSet:
cmd.run:
- name: 'printf "\nchanged=no comment=''Handler for {{ stig_id }} has been selected for skip.''\n"'
- stateful: True
- cwd: /root
{%- else %}
Set Default firewalld zone - config-file:
file.replace:
- name: '{{ firewalldConf }}'
- pattern: '^({{ firewalldParm }})(\s*=\s*).*'
- repl: '\1=drop'
- append_if_not_found: True
- not_found_content: |-
# Inserted per STIG {{ stig_id }}
{{ firewalldParm }}={{ firewalldValu }}
Set Default firewalld zone - config-running:
module.run:
- name: firewalld.set_default_zone
- onchanges:
- file: 'Set Default firewalld zone - config-file'
- unless:
- '[[ $( firewall-cmd --get-default-zone ) == "drop" ]]'
- zone: drop

Set Minimum Ports:
firewalld.present:
- name: '{{ firewalldValu }}'
- onchanges:
- module: 'Set Default firewalld zone - config-running'
- ports: {{ firewalldSafePorts }}
- prune_ports: False
- prune_services: False
- services: {{ firewalldSafeSvcs }}
{%- endif %}
31 changes: 31 additions & 0 deletions ash-linux/el8/STIGbyID/cat2/files/RHEL-08-040090.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash
# Ref Doc: STIG - RHEL 8 v1r10
# Finding ID: V-230238
# Rule ID: SV-230504r854047_rule
# STIG ID: RHEL-08-040090
# SRG ID: SRG-OS-000297-GPOS-00115
#
# Finding Level: medium
#
# Rule Summary:
# The operating system must enable a firewall service that employs
# a deny-all, allow-by-exception policy for allowing connections to
# other systems.
#
# References:
# CCI:
# - CCI-002314
# NIST SP 800-53 Revision 4 :: AC-17 (1)
#
###########################################################################
# Standard outputter function
diag_out() {
echo "${1}"
}

diag_out "--------------------------------------"
diag_out "STIG Finding ID: V-230238"
diag_out " The OS activate a host-based"
diag_out " firewall service with a default"
diag_out " 'deny-all' posture"
diag_out "--------------------------------------"
1 change: 1 addition & 0 deletions ash-linux/el8/STIGbyID/cat2/init.sls
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ include:
- ash-linux.el8.STIGbyID.cat2.RHEL-08-020221
- ash-linux.el8.STIGbyID.cat2.RHEL-08-020231
- ash-linux.el8.STIGbyID.cat2.RHEL-08-030740
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040090
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040123
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040282
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040290

0 comments on commit 0920137

Please sign in to comment.