2024-04-13 12:33:24 |
Przemyslaw Hausman |
description |
Check /usr/share/ubuntu-scap-security-guides/1/benchmarks/ubuntu2204/checks/sce/ip6tables_rules_for_open_ports.sh incorrectly parses the output of `ip6tables -L INPUT -v -n`.
As a result, ip6tables_rules_for_open_ports.sh check returns incorrect return value, marking the rule failed.
I have the system with the following opened ports:
```
# ss -6tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 [fc00:722d:3a95:450e:f816:3eff:fe96:aedf]:5555 [::]:*
udp UNCONN 0 0 [::]:6081 [::]:*
tcp LISTEN 0 1024 [::1]:11211 [::]:*
tcp LISTEN 0 100 [::1]:25 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 511 *:443 *:*
tcp LISTEN 0 511 *:9856 *:*
tcp LISTEN 0 511 *:9866 *:*
tcp LISTEN 0 4096 *:9876 *:*
```
On this system, running the check fails because:
```
# ss -6tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}i' | sor
t | uniq
443
722d <---- THIS IS INCORRECT
80
9856
9866
9876
``` |
usg version: 22.04.6
Check /usr/share/ubuntu-scap-security-guides/1/benchmarks/ubuntu2204/checks/sce/ip6tables_rules_for_open_ports.sh incorrectly parses the output of `ip6tables -L INPUT -v -n`.
As a result, ip6tables_rules_for_open_ports.sh check returns incorrect return value, marking the rule failed.
I have the system with the following opened ports:
```
# ss -6tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 [fc00:722d:3a95:450e:f816:3eff:fe96:aedf]:5555 [::]:*
udp UNCONN 0 0 [::]:6081 [::]:*
tcp LISTEN 0 1024 [::1]:11211 [::]:*
tcp LISTEN 0 100 [::1]:25 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 511 *:443 *:*
tcp LISTEN 0 511 *:9856 *:*
tcp LISTEN 0 511 *:9866 *:*
tcp LISTEN 0 4096 *:9876 *:*
```
On this system, running the check fails because:
```
# ss -6tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}i' | sor
t | uniq
443
722d <---- THIS IS INCORRECT
80
9856
9866
9876
``` |
|