Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: networkmanager_dns_mode #11160

Merged
merged 5 commits into from
Oct 6, 2023
Merged

New Rule: networkmanager_dns_mode #11160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a423fa4
Add new rule networkmanager_dns_mode
Mab879 Sep 29, 2023
70679ae
Add networkmanager_dns_mode to SRG GPOS Control
Mab879 Sep 29, 2023
1ead347
Ensure that NetworkManger is relaoded after networkmanager_dns_mode
Mab879 Sep 29, 2023
cf22422
Fix Ansible variable name in networkmanager_dns_mode
Mab879 Oct 5, 2023
3dd2bde
Fix rule title for networkmanager_dns_mode
Mab879 Oct 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions components/networkmanager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
name: NetworkManager
packages:
- NetworkManager
rules:
- networkmanager_dns_mode
4 changes: 4 additions & 0 deletions controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,10 @@ controls:
- set_firewalld_default_zone
- firewalld_sshd_port_enabled

# NetworkManger
- networkmanager_dns_mode
- var_networkmanager_dns_mode=none

# misc
- enable_authselect
- no_host_based_files
Expand Down
7 changes: 7 additions & 0 deletions linux_os/guide/system/network/networkmanager/group.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
documentation_complete: true

title: 'Network Manager'

description: |-
The NetworkManager daemon configures a variety of network connections.
This section discusses how to configure NetworkManager.
14 changes: 14 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = low

{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}

{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}

- name: "{{{ rule_title }}} - Ensure Network Manager"
ansible.builtin.systemd:
name: NetworkManager
state: reloaded
11 changes: 11 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium

{{{ bash_instantiate_variables("var_networkmanager_dns_mode") }}}

{{{ bash_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "$var_networkmanager_dns_mode") }}}

systemctl reload NetworkManager
12 changes: 12 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{{
oval_check_ini_file(
path="/etc/NetworkManager/NetworkManager.conf",
section="main",
parameter="dns",
value="default|none",
missing_parameter_pass=false,
application="NetworkManager",
multi_value=false,
missing_config_file_fail=true
)
}}}
15 changes: 15 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
checktext: |-
[main]
dns=none

If the dns key under main does not exist or is not set to "none" or "default", this is a finding.

fixtext: |-
Configure NetworkManager in RHEL 9 to use a DNS mode.

In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:

dns = none

srg_requirement: |-
{{ full_name }} must configure a DNS processing mode set be Network Manager.
34 changes: 34 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
documentation_complete: true

prodtype: rhel9

title: 'NetworkManager DNS Mode Must Be Must Configured'

description:
The DNS processing mode in NetworkManager describes how DNS is processed on the system.
Depending the mode some changes the system's DNS may not be respected.

rationale:
To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.

severity: medium

identifiers:
cce@rhel9: CCE-86805-9

references:
disa: CCI-000366
nist: CM-6(b)
srg: SRG-OS-000480-GPOS-00227

ocil_clause: 'the dns key under main does not exist or is not set to "none" or "default"'


ocil: |-
Verify that {{{ full_name }}} has a DNS mode configured in Network Manager.

$ NetworkManager --print-config
[main]
dns={{{ xccdf_value("var_networkmanager_dns_mode") }}}

platform: package[NetworkManager]
8 changes: 8 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = none
# packages = NetworkManager

cat > /etc/NetworkManager/NetworkManager.conf << EOM
[main]
dns=none
EOM
8 changes: 8 additions & 0 deletions ...guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = default
# packages = NetworkManager

cat > /etc/NetworkManager/NetworkManager.conf << EOM
[main]
dns=default
EOM
4 changes: 4 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = default

sed '/^dns=.*$/d' /etc/NetworkManager/NetworkManager.conf
8 changes: 8 additions & 0 deletions ..._os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = default
# packages = NetworkManager

cat > /etc/NetworkManager/NetworkManager.conf << EOM
[main]
dns=dnsmasq
EOM
19 changes: 19 additions & 0 deletions linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
documentation_complete: true

title: 'NetoworkManager DNS Mode'

type: string

description: |-
This sets how NetworkManager handles DNS.

none - NetworkManager will not modify resolv.conf.
default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently active connections.

interactive: true

operator: 'equals'

options:
none: none
default: default
2 changes: 2 additions & 0 deletions shared/applicability/package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,5 @@ args:
pkgname: zypper
openssh:
pkgname: openssh
networkmanager:
pkgname: NetworkManager
1 change: 0 additions & 1 deletion shared/references/cce-redhat-avail.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -452,7 +452,6 @@ CCE-86799-4
CCE-86802-6
CCE-86803-4
CCE-86804-2
CCE-86805-9
CCE-86806-7
CCE-86807-5
CCE-86808-3
Expand Down