CIS 3.5.4.1.4 on bionic does not work for some cases.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Certifications |
Fix Released
|
Undecided
|
Adam Bell |
Bug Description
It looks like we have bugs in the CIS hardening script for rule "Ensure firewall rules exist for all open ports" (CIS 3.5.4.1.4)
First ;
There may be listening ports assigned to specific interface and IP like below (Which is also the case we've met with a customer) :
udp 10.10.10.10%ens3 68
In the script "10.10.10.10%ens3" part completely assigned to addr variable and it is not possible to parse this value in iptables rules with :
iptables -n -L INPUT -v | tail -n+3 | tr -s ' ' | cut -d ' ' -f4,5,7,9,10,11,12 |\
grep -P "^ACCEPT\
So it returns 1.
Secondly ;
Also, if there is a listening port (for example 22) on 0.0.0.0 and the iptables rule was written with a limited source IP like below :
sudo iptables -A INPUT -p tcp -s 5.0.0.0/12 -d 192.168.122.36 --dport 22 -j ACCEPT
Again it is failing and returns exit 1. Because it expects 0.0.0.0/0 as source IP. I think, it should return 0 as there would be a firewall rule for this open port (22). It should not be needed to be opened to the world (0.0.0.0/0).
It affects one of our customers. They have a listening port like udp 10.10.10.10%ens3 68.
Changed in ubuntu-security-certifications: | |
assignee: | nobody → Adam Bell (arbell) |
status: | New → In Progress |
Changed in ubuntu-security-certifications: | |
status: | In Progress → Fix Committed |
Hello,
This has been fixed with ubuntu- security- guides 18.04.19.1 for Bionic.
Thank you for your report!