Merge pull request #11998 from mpurg/ubuntu_2204_stig_251025

Add SCE check for ufw_rate_limit for Ubuntu

linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml

@@ -7,6 +7,25 @@ description: |-
     The operating system must configure the uncomplicated firewall to
     rate-limit impacted network interfaces.
 
+    Check all the services listening to the ports with the following
+    command:
+    <pre>$ sudo ss -l46ut
+    Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
+    tcp LISTEN 0 128 [::]:ssh [::]:*</pre>
+
+    For each entry, verify that the ufw is configured to rate limit the
+    service ports with the following command:
+    <pre>$ sudo ufw status</pre>
+
+    If any port with a state of "LISTEN" is not marked with the "LIMIT"
+    action, run the following command, replacing "service" with the
+    service that needs to be rate limited:
+    <pre>$ sudo ufw limit "service"</pre>
+
+    Rate-limiting can also be done on an interface. An example of adding
+    a rate-limit on the eth0 interface follows:
+    <pre>$ sudo ufw limit in on eth0</pre>
+
 rationale: |-
     This requirement addresses the configuration of the operating system to
     mitigate the impact of DoS attacks that have occurred or are ongoing on

linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+ufw_status="$(ufw status verbose)"
+
+# check ufw is running
+if grep -q "Status: inactive" <<< "$ufw_status"; then
+    exit $XCCDF_RESULT_FAIL
+fi
+
+# check default incoming rule is not allow
+if grep -q "Default: allow (incoming)" <<< "$ufw_status"; then
+    exit $XCCDF_RESULT_FAIL
+fi
+
+# check that listening ports which are open in the firewall are
+# not "ALLOW IN", and are thus rate-limited, deny or rejected, or
+# or using the default rule
+while read -r lpn;
+do
+    if grep -Pq "^\h*$lpn\b.*ALLOW IN" <<< "$ufw_status"; then
+        exit $XCCDF_RESULT_FAIL
+    fi
+done < <(ss -tulnH | awk '{n=split($5, a, ":"); print a[n]}' | sort -u)
+
+exit $XCCDF_RESULT_PASS

linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+# remediation = none
+
+source common.sh
+
+ufw allow 22
+ufw limit 53
+ufw deny 631
+ufw -f enable
+

linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# mock `ss -tulnH`
+
+cat > /usr/local/bin/ss <<EOF
+cat <<FOE
+udp UNCONN 0      0      127.0.0.53%lo:53    0.0.0.0:*
+udp UNCONN 0      0            0.0.0.0:631   0.0.0.0:*
+tcp LISTEN 0      4096   127.0.0.53%lo:53    0.0.0.0:*
+tcp LISTEN 0      128        127.0.0.1:631   0.0.0.0:*
+tcp LISTEN 0      128          0.0.0.0:22    0.0.0.0:*
+tcp LISTEN 0      128            [::1]:631      [::]:*
+tcp LISTEN 0      128             [::]:22       [::]:*
+FOE
+EOF
+chmod +x /usr/local/bin/ss
+
+ufw disable
+ufw -f reset

linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/correct.pass.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+
+source common.sh
+
+ufw limit 22
+ufw limit 53
+ufw deny 631
+ufw -f enable

linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/default_allow.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+
+source common.sh
+
+ufw default allow
+ufw -f enable

linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/disabled.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+
+source common.sh
+
+ufw -f disable