[PATCH 2/3] Added a macro for common iptable rules

--- RHEL6/transforms/shorthand2xccdf.xslt | 31 +++++++++++++++++++++++++++++++ 1 files changed, 31 insertions(+), 0 deletions(-) diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index c9077d1..d1b1258 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -395,6 +395,37 @@ system call, run the following command: If the system is configured to audit this activity, it will return a line. </xsl:template> + <!--Example usage: <iptables-desc-macro allow="true" net="false" proto="tcp" + port="80" /> --> + <!-- allow (boolean): optional attribute which defaults to true, or to + allow this traffic through --> + <!-- net (boolean): optional attribute which determines if -s netwk/mask + is put in. By defaults this is false --> + <!-- proto (string): protocol in question, typically tcp or udp --> + <!-- port (integer): port in question --> + <xsl:template match="iptables-desc-macro"> + <xsl:choose> + <xsl:when test="@allow = 'false'"> + <!-- allow: optional attribute which defaults to true, or to allow this traffic through --> + To configure <xhtml:code>iptables</xhtml:code> to not allow port + <xsl:value-of select="@port"/> traffic one must edit + <xhtml:code>/etc/sysconfig/iptables</xhtml:code> and + <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code> (if IPv6 is in use). + Remove the following line, ensuring that it does not appear in the INPUT + chain: + <xhtml:pre xml:space="preserve">-A INPUT <xsl:if test="@net = 'true'">-s netwk/mask </xsl:if>-m state --state NEW -p <xsl:value-of select="@proto"/> --dport <xsl:value-of select="@port"/> -j ACCEPT</xhtml:pre> + </xsl:when> + <xsl:otherwise> + To configure <xhtml:code>iptables</xhtml:code> to allow port + <xsl:value-of select="@port"/> traffic one must edit + <xhtml:code>/etc/sysconfig/iptables</xhtml:code> and + <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code> (if IPv6 is in use). + Add the following line, ensuring that it appears before the final LOG + and DROP lines for the INPUT chain: + <xhtml:pre xml:space="preserve">-A INPUT <xsl:if test="@net = 'true'">-s netwk/mask </xsl:if>-m state --state NEW -p <xsl:value-of select="@proto"/> --dport <xsl:value-of select="@port"/> -j ACCEPT</xhtml:pre> + </xsl:otherwise> + </xsl:choose> + </xsl:template> <xsl:template match="sshd-check-macro"> <!-- could also do this with sshd -T to test live configuration --> -- 1.7.7.6