Postfix network listening to loopback-only

[70k10]

Description:

Add remediation and update the OVAL checks to support loopback-only inet_interface line.

Rationale:

This is a CIS requirement. Also, still accepting localhost for RHEL6 per the RHEL6 STIG so we support both that and CIS for RHEL6/7/8.

[redhatrises]

@70k10 Thanks for this PR! Can you make the inet_interfaces options a XCCDF variable instead of hardcoded? That way you can select the variable based off of the OS and profile.

[redhatrises]

Instead of inet_interfaces[\s]*=[\s]*(localhost|loopback-only), let's make this a variable for customization sake.
See linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml and linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var for an example.

[70k10]

Sure thing, thanks for the reference.

[70k10]

@redhatrises Updated the check/remediation with a new variable. I think it is right, but scap-workbench was acting strange so it was hard to tell if the RHEL6 STIG applied the variable properly. I did see my changes in the ds-1.2.xml though.

[redhatrises]

Probably should add datatype="string" here.

[redhatrises]

@redhatrises Updated the check/remediation with a new variable. I think it is right, but scap-workbench was acting strange so it was hard to tell if the RHEL6 STIG applied the variable properly. I did see my changes in the ds-1.2.xml though.

@70k10 IIRC you need to add the datatype to the state. Also, looks like there are conflicts with cce-redhat-avail.txt.

[70k10]

@redhatrises I changed the state and fixed up the CCEs. Wasn't exactly sure if the datatype was necessary there as I found another example where that was omitted.

[redhatrises]

LGTM