From bdb698bdcf4ebe7b8111ee21cc6de0eb54b2cafa Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Mon, 13 May 2024 19:07:54 +0200
Subject: [PATCH] Add SCE check for ufw_rate_limit

---
 .../network-ufw/ufw_rate_limit/rule.yml       | 19 +++++++++++++
 .../network-ufw/ufw_rate_limit/sce/shared.sh  | 27 +++++++++++++++++++
 .../ufw_rate_limit/tests/allow.fail.sh        | 12 +++++++++
 .../ufw_rate_limit/tests/common.sh            | 19 +++++++++++++
 .../ufw_rate_limit/tests/correct.pass.sh      | 10 +++++++
 .../tests/default_allow.fail.sh               |  8 ++++++
 .../ufw_rate_limit/tests/disabled.fail.sh     |  7 +++++
 7 files changed, 102 insertions(+)
 create mode 100644 linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/default_allow.fail.sh
 create mode 100644 linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/disabled.fail.sh

diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
index 622faac9c40..9ad0b2587a2 100644
--- a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
@@ -7,6 +7,25 @@ description: |-
     The operating system must configure the uncomplicated firewall to
     rate-limit impacted network interfaces.
 
+    Check all the services listening to the ports with the following
+    command:
+    <pre>$ sudo ss -l46ut
+    Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
+    tcp LISTEN 0 128 [::]:ssh [::]:*</pre>
+
+    For each entry, verify that the ufw is configured to rate limit the
+    service ports with the following command:
+    <pre>$ sudo ufw status</pre>
+
+    If any port with a state of "LISTEN" is not marked with the "LIMIT"
+    action, run the following command, replacing "service" with the
+    service that needs to be rate limited:
+    <pre>$ sudo ufw limit "service"</pre>
+
+    Rate-limiting can also be done on an interface. An example of adding
+    a rate-limit on the eth0 interface follows:
+    <pre>$ sudo ufw limit in on eth0</pre>
+
 rationale: |-
     This requirement addresses the configuration of the operating system to
     mitigate the impact of DoS attacks that have occurred or are ongoing on
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh
new file mode 100644
index 00000000000..42b580778d4
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+ufw_status="$(ufw status verbose)"
+
+# check ufw is running
+if grep -q "Status: inactive" <<< "$ufw_status"; then
+    exit $XCCDF_RESULT_FAIL
+fi
+
+# check default incoming rule is not allow
+if grep -q "Default: allow (incoming)" <<< "$ufw_status"; then
+    exit $XCCDF_RESULT_FAIL
+fi
+
+# check that listening ports which are open in the firewall are
+# not "ALLOW IN", and are thus rate-limited, deny or rejected, or
+# or using the default rule
+while read -r lpn;
+do
+    if grep -Pq "^\h*$lpn\b.*ALLOW IN" <<< "$ufw_status"; then
+        exit $XCCDF_RESULT_FAIL
+    fi
+done < <(ss -tulnH | awk '{n=split($5, a, ":"); print a[n]}' | sort -u)
+
+exit $XCCDF_RESULT_PASS
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh
new file mode 100644
index 00000000000..151d98ec5fd
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+# remediation = none
+
+source common.sh
+
+ufw allow 22
+ufw limit 53
+ufw deny 631
+ufw -f enable
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh
new file mode 100644
index 00000000000..ce64b1df98e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# mock `ss -tulnH`
+
+cat > /usr/local/bin/ss <<EOF
+cat <<FOE
+udp UNCONN 0      0      127.0.0.53%lo:53    0.0.0.0:*
+udp UNCONN 0      0            0.0.0.0:631   0.0.0.0:*
+tcp LISTEN 0      4096   127.0.0.53%lo:53    0.0.0.0:*
+tcp LISTEN 0      128        127.0.0.1:631   0.0.0.0:*
+tcp LISTEN 0      128          0.0.0.0:22    0.0.0.0:*
+tcp LISTEN 0      128            [::1]:631      [::]:*
+tcp LISTEN 0      128             [::]:22       [::]:*
+FOE
+EOF
+chmod +x /usr/local/bin/ss
+
+ufw disable
+ufw -f reset
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/correct.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/correct.pass.sh
new file mode 100644
index 00000000000..91ae4f9052d
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/correct.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+
+source common.sh
+
+ufw limit 22
+ufw limit 53
+ufw deny 631
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/default_allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/default_allow.fail.sh
new file mode 100644
index 00000000000..9f4571da54c
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/default_allow.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+
+source common.sh
+
+ufw default allow
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/disabled.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/disabled.fail.sh
new file mode 100644
index 00000000000..35b779dd301
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/disabled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+
+source common.sh
+
+ufw -f disable