Merge pull request #4832 from 70k10/cis_postfix

Postfix network listening to loopback-only

linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml

@@ -0,0 +1,8 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- (xccdf-var var_postfix_inet_interfaces)
+
+{{{ ansible_lineinfile(msg='Ensure mail transfer agent is configured for local-only mode', path='/etc/postfix/main.cf', regex='^inet_interfaces\s*=\s.*', new_line='inet_interfaces = {{ var_postfix_inet_interfaces }}', create='no', state='present', insert_after='^inet_interfaces\s*=\s.*') }}}

linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml

@@ -22,8 +22,14 @@
 
   <ind:textfilecontent54_object id="obj_postfix_network_listening_disabled" comment="inet_interfaces in /etc/postfix/main.cf should be set correctly" version="1">
     <ind:filepath>/etc/postfix/main.cf</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*inet_interfaces[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_state id="state_postfix_network_listening_disabled" version="1">
+    <ind:subexpression datatype="string" operation="equals" var_ref="var_postfix_inet_interfaces" />
+  </ind:textfilecontent54_state>
+
+  <external_variable comment="external variable for postfix inet_interfaces" datatype="string" id="var_postfix_inet_interfaces" version="1" />
+
 </def-group>

linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml

@@ -7,7 +7,8 @@ title: 'Disable Postfix Network Listening'
 description: |-
     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
     <tt>inet_interfaces</tt> line appears:
-    <pre>inet_interfaces = localhost</pre>
+    <pre>inet_interfaces = <sub idref="var_postfix_inet_interfaces" /></pre>
+
 
 rationale: |-
     This ensures <tt>postfix</tt> accepts mail messages
@@ -19,6 +20,7 @@ severity: medium
 identifiers:
     cce@rhel6: 26780-7
     cce@rhel7: 80289-2
+    cce@rhel8: 82174-4
 
 references:
     stigid@rhel6: "000249"
@@ -38,4 +40,5 @@ ocil_clause: 'it does not'
 ocil: |-
     Run the following command to ensure postfix accepts mail messages from only the local system:
     <pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
-    If properly configured, the output should show only <tt>localhost</tt>.
+    If properly configured, the output should show only <tt><sub idref="var_postfix_inet_interfaces" /></tt>.
+

linux_os/guide/services/mail/postfix_client/var_postfix_inet_interfaces.var

@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'Postfix Network Interfaces'
+
+description: 'The setting for inet_interfaces in /etc/postfix/main.cf'
+
+type: string
+
+interactive: false
+
+options:
+    loopback-only: loopback-only
+    default: loopback-only
+    localhost: localhost

rhel6/profiles/stig.profile

@@ -104,3 +104,5 @@ selections:
     - no_password_auth_for_systemaccounts
     - wireless_disable_interfaces
     - configure_user_data_backups
+    - var_postfix_inet_interfaces=localhost
+    - postfix_network_listening_disabled

shared/references/cce-redhat-avail.txt

@@ -1,4 +1,3 @@
-CCE-82174-4
 CCE-82178-5
 CCE-82179-3
 CCE-82180-1