Add Variable-based CPE and UFW rules for Ubuntu 20.04 STIG

build-scripts/cpe_generate.py

@@ -58,6 +58,8 @@ def main():
     for el in defs.findall(".//{%s}definition" % oval_ns):
         if el.get("class") != "inventory":
             continue
+        if el.get("id").startswith("var_"):
+            continue
         inventory_defs.append(el)
 
     # Keep the list of 'id' attributes from untranslated inventory def elements
@@ -145,6 +147,8 @@ def main():
     product_cpes = ssg.build_cpe.ProductCPEs(product_yaml)
     cpe_list = ssg.build_cpe.CPEList()
     for cpe_name in benchmark_cpe_names:
+        if cpe_name.startswith("var_") or cpe_name.startswith("not_var_"):
+            continue
         cpe_list.add(product_cpes.get_cpe(cpe_name))
 
     cpedict_filename = "ssg-" + product + "-cpe-dictionary.xml"

linux_os/guide/system/network/network-ufw/group.yml

@@ -0,0 +1,26 @@
+documentation_complete: true
+
+title: Uncomplicated Firewall (ufw)
+
+description: |-
+    The Linux kernel in Ubuntu provides a packet filtering system called
+    netfilter, and the traditional interface for manipulating netfilter are
+    the iptables suite of commands. iptables provide a complete firewall
+    solution that is both highly configurable and highly flexible.
+
+    Becoming proficient in iptables takes time, and getting started with
+    netfilter firewalling using only iptables can be a daunting task. As a
+    result, many frontends for iptables have been created over the years,
+    each trying to achieve a different result and targeting a different
+    audience.
+
+    The Uncomplicated Firewall (ufw) is a frontend for iptables and is
+    particularly well-suited for host-based firewalls. ufw provides a
+    framework for managing netfilter, as well as a command-line interface
+    for manipulating the firewall. ufw aims to provide an easy to use
+    interface for people unfamiliar with firewall concepts, while at the
+    same time simplifies complicated iptables commands to help an
+    administrator who knows what he or she is doing. ufw is an upstream
+    for other distributions and graphical frontends.
+
+platform: machine

linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml

@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Install ufw Package'
+
+description: |-
+    {{{ describe_package_install(package="ufw") }}}
+
+rationale: |-
+    <tt>ufw</tt> controls the Linux kernel network packet filtering
+    code. <tt>ufw</tt> allows system operators to set up firewalls and IP
+    masquerading, etc.
+
+platforms:
+  - var_ufw
+  - machine
+
+severity: medium
+
+references:
+    cis@ubuntu2004: 3.5.1.1
+    disa: CCI-002314
+    srg: SRG-OS-000297-GPOS-00115
+    stigid@ubuntu2004: UBTU-20-010433
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="ufw") }}}'
+
+template:
+    name: package_installed
+    vars:
+        pkgname: ufw

linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml

@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Verify ufw Enabled'
+
+description: |-
+    {{{ describe_service_enable(service="ufw") }}}
+
+rationale: |-
+    The ufw service must be enabled and running in order for ufw to protect the system
+
+platforms:
+  - var_ufw
+  - machine
+
+severity: medium
+
+references:
+    cis@ubuntu2004: 3.5.1.3
+    disa: CCI-002314
+    srg: SRG-OS-000297-GPOS-00115
+    stigid@ubuntu2004: UBTU-20-010434
+
+ocil: |-
+    {{{ ocil_service_enabled(service="ufw") }}}
+
+template:
+    name: service_enabled
+    vars:
+        servicename: ufw
+
+platform: machine

linux_os/guide/system/network/network-ufw/ufw_only_required_services/rule.yml

@@ -0,0 +1,73 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Only Allow Authorized Network Services in ufw'
+
+description: |-
+    Check the firewall configuration for any unnecessary or prohibited
+    functions, ports, protocols, and/or services by running the following
+    command:
+    <pre>$ sudo ufw show raw
+    Chain OUTPUT (policy ACCEPT)
+    target prot opt sources destination
+    Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
+    pkts bytes target prot opt in out source destination
+    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+    pkts bytes target prot opt in out source destination
+    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+    pkts bytes target prot opt in out source destination</pre>
+
+    Ask the System Administrator for the site or program PPSM CLSA. Verify
+    the services allowed by the firewall match the PPSM CLSA.
+
+rationale: |-
+    To prevent unauthorized connection of devices, unauthorized transfer of
+    information, or unauthorized tunneling (i.e., embedding of data types
+    within data types), organizations must disable or restrict unused or
+    unnecessary physical and logical ports/protocols on information systems.
+
+    Operating systems are capable of providing a wide variety of functions
+    and services. Some of the functions and services provided by default
+    may not be necessary to support essential organizational operations.
+    Additionally, it is sometimes convenient to provide multiple services
+    from a single component (e.g., VPN and IPS); however, doing so
+    increases risk over limiting the services provided by any one component.
+
+    To support the requirements and principles of least functionality, the
+    operating system must support the organizational requirements, providing
+    only essential capabilities and limiting the use of ports, protocols,
+    and/or services to only those required, authorized, and approved to
+    conduct official business or to address authorized quality of life
+    issues.
+
+platforms:
+    - var_ufw
+    - machine
+
+severity: medium
+
+references:
+    disa: CCI-000382
+    srg: SRG-OS-000096-GPOS-00050
+    stigid@ubuntu2004: UBTU-20-010407
+
+ocil_clause: 'unauthorized network services can be accessed from the network'
+
+ocil: |-
+    Check the firewall configuration for any unnecessary or prohibited
+    functions, ports, protocols, and/or services by running the following
+    command:
+    <pre>$ sudo ufw show raw</pre>
+
+    Ask the System Administrator for the site or program PPSM CLSA. Verify
+    the services allowed by the firewall match the PPSM CLSA.
+
+    Add all ports, protocols, or services allowed by the PPSM CLSA by using
+    the following command:
+    <pre>$ sudo ufw allow "direction" "port/protocol/service"</pre>
+    where the direction is "in" or "out" and the port is the one
+    corresponding to the protocol or service allowed.
+
+    To deny access to ports, protocols, or services, use:
+    <pre>$ sudo ufw deny "direction" "port/protocol/service"</pre>

linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml

@@ -0,0 +1,52 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'ufw Must rate-limit network interfaces'
+
+description: |-
+    The operating system must configure the uncomplicated firewall to
+    rate-limit impacted network interfaces.
+
+rationale: |-
+    This requirement addresses the configuration of the operating system to
+    mitigate the impact of DoS attacks that have occurred or are ongoing on
+    system availability. For each system, known and potential DoS attacks
+    must be identified and solutions for each type implemented. A variety
+    of technologies exist to limit or, in some cases, eliminate the effects
+    of DoS attacks (e.g., limiting processes or establishing memory
+    partitions). Employing increased capacity and bandwidth, combined with
+    service redundancy, may reduce the susceptibility to some DoS attacks.
+
+platforms:
+    - var_ufw
+    - machine
+
+severity: medium
+
+references:
+    disa: CCI-002385
+    srg: SRG-OS-000420-GPOS-00186
+    stigid@ubuntu2004: UBTU-20-010446
+
+ocil_clause: 'network interface not rate-limit'
+
+ocil: |-
+    Check all the services listening to the ports with the following
+    command:
+    <pre>$ sudo ss -l46ut
+    Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
+    tcp LISTEN 0 128 [::]:ssh [::]:*</pre>
+
+    For each entry, verify that the ufw is configured to rate limit the
+    service ports with the following command:
+    <pre>$ sudo ufw status</pre>
+
+    If any port with a state of "LISTEN" is not marked with the "LIMIT"
+    action, run the following command, replacing "service" with the
+    service that needs to be rate limited:
+    <pre>$ sudo ufw limit "service"</pre>
+
+    Rate-limiting can also be done on an interface. An example of adding
+    a rate-limit on the eth0 interface follows:
+    <pre>$ sudo ufw limit in on eth0</pre>

linux_os/guide/system/network/var_firewall_package.var

@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Selected firewall utility'
+
+description: 'Which firewalling utility (iptables, nftables, ufw, or firewalld) should be used.'
+
+type: string
+
+interactive: true
+
+options:
+    default: iptables
+    iptables: iptables
+    nftables: nftables
+    ufw: ufw
+    firewalld: firewalld

products/ubuntu2004/profiles/stig.profile

@@ -437,6 +437,7 @@ selections:
     - package_rsh-server_removed
 
     # UBTU-20-010407 The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
+    - ufw_only_required_services
 
     # UBTU-20-010408 The Ubuntu operating system must prevent direct login into the root account.
     - prevent_direct_root_logins
@@ -513,8 +514,11 @@ selections:
     - service_rsyslog_enabled
 
     # UBTU-20-010433 The Ubuntu operating system must have an application firewall installed in order to control remote access methods.
+    - var_firewall_package=ufw
+    - package_ufw_installed
 
     # UBTU-20-010434 The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).
+    - service_ufw_enabled
 
     # UBTU-20-010435 The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
     - var_time_service_set_maxpoll=36_hours
@@ -548,6 +552,7 @@ selections:
     # UBTU-20-010445 Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest.
 
     # UBTU-20-010446 The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
+    - ufw_rate_limit
 
     # UBTU-20-010447 The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.
     - bios_enable_execution_restrictions

shared/applicability/variables.yml

@@ -0,0 +1,82 @@
+cpes:
+  - var_chrony:
+      name: "cpe:/a:var_chrony"
+      title: "Chrony is selected"
+      check_id: var_time_synchronization_daemon_is_chrony
+      variable: var_time_synchronization_daemon
+      value: chrony
+      negated: false
+
+  - not_var_chrony:
+      name: "cpe:/a:not_var_chrony"
+      title: "Chrony is not selected"
+      check_id: var_time_synchronization_daemon_is_not_chrony
+      variable: var_time_synchronization_daemon
+      value: chrony
+      negated: true
+
+  - var_ntp:
+      name: "cpe:/a:var_ntp"
+      title: "ntp is selected"
+      check_id: var_time_synchronization_daemon_is_ntp
+      variable: var_time_synchronization_daemon
+      value: ntp
+      negated: false
+
+  - not_var_ntp:
+      name: "cpe:/a:not_var_ntp"
+      title: "ntp is not selected"
+      check_id: var_time_synchronization_daemon_is_not_ntp
+      variable: var_time_synchronization_daemon
+      value: ntp
+      negated: true
+
+  # The following variables are for var_firewall_package, choosing between
+  # iptables, nftables, and ufw.
+  - var_iptables:
+      name: "cpe:/a:var_iptables"
+      title: "iptables is selected"
+      check_id: var_firewall_package_is_iptables
+      variable: var_firewall_package
+      value: iptables
+      negated: false
+
+  - not_var_iptables:
+      name: "cpe:/a:not_var_iptables"
+      title: "iptables is not selected"
+      check_id: var_firewall_package_is_not_iptables
+      variable: var_firewall_package
+      value: iptables
+      negated: true
+
+  - var_nftables:
+      name: "cpe:/a:var_nftables"
+      title: "nftables is selected"
+      check_id: var_firewall_package_is_nftables
+      variable: var_firewall_package
+      value: nftables
+      negated: false
+
+  - not_var_nftables:
+      name: "cpe:/a:not_var_nftables"
+      title: "nftables is not selected"
+      check_id: var_firewall_package_is_not_nftables
+      variable: var_firewall_package
+      value: nftables
+      negated: true
+
+  - var_ufw:
+      name: "cpe:/a:var_ufw"
+      title: "ufw is selected"
+      check_id: var_firewall_package_is_ufw
+      variable: var_firewall_package
+      value: ufw
+      negated: false
+
+  - not_var_ufw:
+      name: "cpe:/a:not_var_ufw"
+      title: "ufw is not selected"
+      check_id: var_firewall_package_is_not_ufw
+      variable: var_firewall_package
+      value: ufw
+      negated: true

shared/checks/oval/var_firewall_package_is_iptables.xml

@@ -0,0 +1 @@
+{{{ oval_check_var_is_value("var_firewall_package", "iptables") }}}

shared/checks/oval/var_firewall_package_is_nftables.xml

@@ -0,0 +1 @@
+{{{ oval_check_var_is_value("var_firewall_package", "nftables") }}}

shared/checks/oval/var_firewall_package_is_not_iptables.xml

@@ -0,0 +1 @@
+{{{ oval_check_var_is_value("var_firewall_package", "iptables", negate=true) }}}

shared/checks/oval/var_firewall_package_is_not_nftables.xml

@@ -0,0 +1 @@
+{{{ oval_check_var_is_value("var_firewall_package", "nftables", negate=true) }}}

shared/checks/oval/var_firewall_package_is_not_ufw.xml

@@ -0,0 +1 @@
+{{{ oval_check_var_is_value("var_firewall_package", "ufw", negate=true) }}}

shared/checks/oval/var_firewall_package_is_ufw.xml

@@ -0,0 +1 @@
+{{{ oval_check_var_is_value("var_firewall_package", "ufw") }}}

shared/macros-highlevel.jinja

@@ -25,14 +25,16 @@ substituting the correct package management software.
 
 :param package: Name of package
 :type package: str
+:param removed: Boolean condition for ocil_clause
+:type removed: bool
 
 #}}
-{{% macro complete_ocil_entry_package(package) -%}}
+{{% macro complete_ocil_entry_package(package, removed=False) -%}}
   {{% if pkg_system is defined %}}
     {{%- if pkg_system == "rpm" %}}
-        {{{ rpm_complete_ocil_entry_package(package) }}}
+        {{{ rpm_complete_ocil_entry_package(package, removed=removed) }}}
     {{%- elif pkg_system == "dpkg" %}}
-        {{{ dpkg_complete_ocil_entry_package(package) }}}
+        {{{ dpkg_complete_ocil_entry_package(package, removed=removed) }}}
     {{%- else -%}}
 ocil: |-
     JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.