Skip to content

Commit

Permalink
Merge pull request #11998 from mpurg/ubuntu_2204_stig_251025
Browse files Browse the repository at this point in the history
Add SCE check for ufw_rate_limit for Ubuntu
  • Loading branch information
dodys authored May 17, 2024
2 parents 23d56eb + bdb698b commit 0ec2d6e
Show file tree
Hide file tree
Showing 7 changed files with 102 additions and 0 deletions.
19 changes: 19 additions & 0 deletions linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,25 @@ description: |-
The operating system must configure the uncomplicated firewall to
rate-limit impacted network interfaces.
Check all the services listening to the ports with the following
command:
<pre>$ sudo ss -l46ut
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 [::]:ssh [::]:*</pre>
For each entry, verify that the ufw is configured to rate limit the
service ports with the following command:
<pre>$ sudo ufw status</pre>
If any port with a state of "LISTEN" is not marked with the "LIMIT"
action, run the following command, replacing "service" with the
service that needs to be rate limited:
<pre>$ sudo ufw limit "service"</pre>
Rate-limiting can also be done on an interface. An example of adding
a rate-limit on the eth0 interface follows:
<pre>$ sudo ufw limit in on eth0</pre>
rationale: |-
This requirement addresses the configuration of the operating system to
mitigate the impact of DoS attacks that have occurred or are ongoing on
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# check-import = stdout

ufw_status="$(ufw status verbose)"

# check ufw is running
if grep -q "Status: inactive" <<< "$ufw_status"; then
exit $XCCDF_RESULT_FAIL
fi

# check default incoming rule is not allow
if grep -q "Default: allow (incoming)" <<< "$ufw_status"; then
exit $XCCDF_RESULT_FAIL
fi

# check that listening ports which are open in the firewall are
# not "ALLOW IN", and are thus rate-limited, deny or rejected, or
# or using the default rule
while read -r lpn;
do
if grep -Pq "^\h*$lpn\b.*ALLOW IN" <<< "$ufw_status"; then
exit $XCCDF_RESULT_FAIL
fi
done < <(ss -tulnH | awk '{n=split($5, a, ":"); print a[n]}' | sort -u)

exit $XCCDF_RESULT_PASS
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash
# platforms = multi_platform_ubuntu
# packages = ufw
# remediation = none

source common.sh

ufw allow 22
ufw limit 53
ufw deny 631
ufw -f enable

Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash

# mock `ss -tulnH`

cat > /usr/local/bin/ss <<EOF
cat <<FOE
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:631 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::1]:631 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
FOE
EOF
chmod +x /usr/local/bin/ss

ufw disable
ufw -f reset
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash
# platforms = multi_platform_ubuntu
# packages = ufw

source common.sh

ufw limit 22
ufw limit 53
ufw deny 631
ufw -f enable
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# platforms = multi_platform_ubuntu
# packages = ufw

source common.sh

ufw default allow
ufw -f enable
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash
# platforms = multi_platform_ubuntu
# packages = ufw

source common.sh

ufw -f disable

0 comments on commit 0ec2d6e

Please sign in to comment.