Skip to content

Commit

Permalink
Merge pull request #11160 from Mab879/new_rule_dns_mode_nm
Browse files Browse the repository at this point in the history 
New Rule: networkmanager_dns_mode
  • Loading branch information
@jan-cerny
jan-cerny authored Oct 6, 2023
2 parents 4530b79 + 3dd2bde commit ecdee9b
Show file tree
Hide file tree
Showing 15 changed files with 151 additions and 1 deletion.
5 changes: 5 additions & 0 deletions components/networkmanager.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
name: NetworkManager
packages:
- NetworkManager
rules:
- networkmanager_dns_mode
4 changes: 4 additions & 0 deletions controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,10 @@ controls:
- set_firewalld_default_zone
- firewalld_sshd_port_enabled

# NetworkManger
- networkmanager_dns_mode
- var_networkmanager_dns_mode=none

# misc
- enable_authselect
- no_host_based_files
Expand Down
7 changes: 7 additions & 0 deletions linux_os/guide/system/network/networkmanager/group.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
documentation_complete: true

title: 'Network Manager'

description: |-
The NetworkManager daemon configures a variety of network connections.
This section discusses how to configure NetworkManager.
14 changes: 14 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = low

{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}

{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}

- name: "{{{ rule_title }}} - Ensure Network Manager"
ansible.builtin.systemd:
name: NetworkManager
state: reloaded
11 changes: 11 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium

{{{ bash_instantiate_variables("var_networkmanager_dns_mode") }}}

{{{ bash_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "$var_networkmanager_dns_mode") }}}

systemctl reload NetworkManager
12 changes: 12 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{{
oval_check_ini_file(
path="/etc/NetworkManager/NetworkManager.conf",
section="main",
parameter="dns",
value="default|none",
missing_parameter_pass=false,
application="NetworkManager",
multi_value=false,
missing_config_file_fail=true
)
}}}
15 changes: 15 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
checktext: |-
[main]
dns=none
If the dns key under main does not exist or is not set to "none" or "default", this is a finding.
fixtext: |-
Configure NetworkManager in RHEL 9 to use a DNS mode.
In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
dns = none
srg_requirement: |-
{{ full_name }} must configure a DNS processing mode set be Network Manager.
34 changes: 34 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
documentation_complete: true

prodtype: rhel9

title: 'NetworkManager DNS Mode Must Be Must Configured'

description:
The DNS processing mode in NetworkManager describes how DNS is processed on the system.
Depending the mode some changes the system's DNS may not be respected.

rationale:
To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.

severity: medium

identifiers:
cce@rhel9: CCE-86805-9

references:
disa: CCI-000366
nist: CM-6(b)
srg: SRG-OS-000480-GPOS-00227

ocil_clause: 'the dns key under main does not exist or is not set to "none" or "default"'


ocil: |-
Verify that {{{ full_name }}} has a DNS mode configured in Network Manager.
$ NetworkManager --print-config
[main]
dns={{{ xccdf_value("var_networkmanager_dns_mode") }}}
platform: package[NetworkManager]
8 changes: 8 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = none
# packages = NetworkManager

cat > /etc/NetworkManager/NetworkManager.conf << EOM
[main]
dns=none
EOM
8 changes: 8 additions & 0 deletions ...guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = default
# packages = NetworkManager

cat > /etc/NetworkManager/NetworkManager.conf << EOM
[main]
dns=default
EOM
4 changes: 4 additions & 0 deletions linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = default

sed '/^dns=.*$/d' /etc/NetworkManager/NetworkManager.conf
8 changes: 8 additions & 0 deletions ..._os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# variables = var_networkmanager_dns_mode = default
# packages = NetworkManager

cat > /etc/NetworkManager/NetworkManager.conf << EOM
[main]
dns=dnsmasq
EOM
19 changes: 19 additions & 0 deletions linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
documentation_complete: true

title: 'NetoworkManager DNS Mode'

type: string

description: |-
This sets how NetworkManager handles DNS.

none - NetworkManager will not modify resolv.conf.
default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently active connections.

interactive: true

operator: 'equals'

options:
none: none
default: default
2 changes: 2 additions & 0 deletions shared/applicability/package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,5 @@ args:
pkgname: zypper
openssh:
pkgname: openssh
networkmanager:
pkgname: NetworkManager
1 change: 0 additions & 1 deletion shared/references/cce-redhat-avail.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -452,7 +452,6 @@ CCE-86799-4
CCE-86802-6
CCE-86803-4
CCE-86804-2
CCE-86805-9
CCE-86806-7
CCE-86807-5
CCE-86808-3
Expand Down

0 comments on commit ecdee9b

Please sign in to comment.