Add oval check logic for has_nonlocal_mta to also check port 465 587

ComplianceAsCode · Jan 13, 2025 · bef3745 · bef3745
1 parent eaa8e52
commit bef3745
Showing 1 changed file with 33 additions and 4 deletions.
diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml b/linux_os/guide/services/mail/has_nonlocal_mta/oval/shared.xml
@@ -1,9 +1,13 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Verify MTA is not listening on any non-loopback address") }}}
-    <criteria>
-      <criterion test_ref="tst_nothing_listening_external_mta_port"
-            comment="mta is not listening on any non-loopbackaddress" />
+    <criteria operator="AND">
+      <criterion test_ref="tst_nothing_listening_external_mta_port_25"
+            comment="mta is not listening on any non-loopbackaddress for port 25" />
+{{% if 'ubuntu' in product %}}
+      <criterion test_ref="tst_nothing_listening_external_mta_port_465_587"
+                comment="mta is not listening on any non-loopback address for ports 465 and 587" />
+{{% endif %}}
     </criteria>
   </definition>
   <linux:inetlisteningservers_object id="obj_listening_port_25" version="1">
@@ -20,8 +24,33 @@
     <linux:local_address operation="equals">::1</linux:local_address>
   </linux:inetlisteningservers_state>
   <linux:inetlisteningservers_test check="all" check_existence="none_exist"
-      id="tst_nothing_listening_external_mta_port" version="1"
+      id="tst_nothing_listening_external_mta_port_25" version="1"
       comment="mta is not listening on any non-loopback address">
     <linux:object object_ref="obj_listening_port_25" />
   </linux:inetlisteningservers_test>
+{{% if 'ubuntu' in product %}}
+  <linux:inetlisteningservers_object id="obj_listening_ports_465_587" version="1">
+    <linux:protocol>tcp</linux:protocol>
+    <linux:local_address operation="not equal">127.0.0.1</linux:local_address>
+    <linux:local_port datatype="int">465</linux:local_port>
+    <linux:local_port datatype="int">587</linux:local_port>
+    <filter action="exclude">ste_not_ports_465</filter>
+    <filter action="exclude">ste_not_ports_587</filter>
+    <filter action="exclude">ste_not_on_localhost</filter>
+  </linux:inetlisteningservers_object>
+
+  <linux:inetlisteningservers_state id="ste_not_ports_465" version="1">
+    <linux:local_port datatype="int" operation="not equal">465</linux:local_port>
+  </linux:inetlisteningservers_state>
+
+  <linux:inetlisteningservers_state id="ste_not_ports_587" version="1">
+    <linux:local_port datatype="int" operation="not equal">587</linux:local_port>
+  </linux:inetlisteningservers_state>
+
+  <linux:inetlisteningservers_test check="all" check_existence="none_exist"
+      id="tst_nothing_listening_external_mta_port_465_587" version="1"
+      comment="mta is not listening on any non-loopback address">
+    <linux:object object_ref="obj_listening_ports_465_587" />
+  </linux:inetlisteningservers_test>
+{{% endif %}}
 </def-group>