NetworkManager DNS Mode Must Be Must Configured

An XCCDF Rule

Description

The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected.

Rationale

To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.

ID: xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
Severity: Medium
References: CCI-000366

CM-6(b)

SRG-OS-000480-GPOS-00227

SV-257949r925834_rule
Updated: 8 months ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-09-252040
  - NIST-800-53-CM-6(b)  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - networkmanager_dns_mode
  - no_reboot_needed
- name: XCCDF Value var_networkmanager_dns_mode # promote to variable
  set_fact:
    var_networkmanager_dns_mode: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_networkmanager_dns_mode" use="legacy"/>
  tags:
    - always

- name: Set 'dns' to '{{ var_networkmanager_dns_mode }}' in the [main] section of
    '/etc/NetworkManager/NetworkManager.conf'
  ini_file:
    path: /etc/NetworkManager/NetworkManager.conf
    section: main
    option: dns
    value: '{{ var_networkmanager_dns_mode }}'
    create: true
    mode: 420
  when: '"NetworkManager" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-09-252040
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - networkmanager_dns_mode
  - no_reboot_needed

- name: NetworkManager DNS Mode Must Be Must Configured - Ensure Network Manager
  ansible.builtin.systemd:
    name: NetworkManager
    state: reloaded
  when: '"NetworkManager" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-09-252040
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - networkmanager_dns_mode
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q NetworkManager; then

var_networkmanager_dns_mode='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_networkmanager_dns_mode" use="legacy"/>'


# Try find '[main]' and 'dns' in '/etc/NetworkManager/NetworkManager.conf', if it exists, set
# to '$var_networkmanager_dns_mode', if it isn't here, add it, if '[main]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[main]([^\n\[]*\n+)+?[[:space:]]*dns' '/etc/NetworkManager/NetworkManager.conf'; then
    
    sed -i "s/dns[^(\n)]*/dns=$var_networkmanager_dns_mode/" '/etc/NetworkManager/NetworkManager.conf'
elif grep -qs '[[:space:]]*\[main]' '/etc/NetworkManager/NetworkManager.conf'; then
    sed -i "/[[:space:]]*\[main]/a dns=$var_networkmanager_dns_mode" '/etc/NetworkManager/NetworkManager.conf'
else
    if test -d "/etc/NetworkManager"; then
        printf '%s\n' '[main]' "dns=$var_networkmanager_dns_mode" >> '/etc/NetworkManager/NetworkManager.conf'
    else
        echo "Config file directory '/etc/NetworkManager' doesnt exist, not remediating, assuming non-applicability." >&2
    fi
fi

systemctl reload NetworkManager

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

NetworkManager DNS Mode Must Be Must Configured

Description

Rationale

Remediation - Ansible

Remediation - Shell Script