Deactivate Wireless Network Interfaces

An XCCDF Rule

Description

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable wireless network interfaces by issuing the following command for every active <WIFI-INTERFACE> in the system:

$ sudo wicked ifdown <WIFI-INTERFACE>

Also remove the configuration files for every wifi adapter from /etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future connections.

Rationale

The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

ID: xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Severity: Medium
References: 11 12 14 15 3 8 9

APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06

3.1.16

CCI-000085 CCI-001443 CCI-001444 CCI-002418 CCI-002421

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

1315 1319

A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2

AC-18(1) SC-8

PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4

Req-1.3.3

SRG-OS-000299-GPOS-00117 SRG-OS-000300-GPOS-00118 SRG-OS-000424-GPOS-00188 SRG-OS-000481-GPOS-000481

SLES-12-030450

3.1.2

CCE-83148-7

1.3.3 2.3

SV-217298r854164_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83148-7
  - DISA-STIG-SLES-12-030450  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(1)
  - NIST-800-53-SC-8
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - PCI-DSSv4-2.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: Service facts
  ansible.builtin.service_facts: null
  tags:
  - CCE-83148-7
  - DISA-STIG-SLES-12-030450
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(1)
  - NIST-800-53-SC-8
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - PCI-DSSv4-2.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: Wicked Deactivate Wireless Network Interfaces
  command: wicked ifdown {{ item }}
  loop: '{{ ansible_facts.interfaces }}'
  when:
  - ansible_facts.services['wickedd.service'].state == 'running'
  - item.startswith("wl")
  tags:
  - CCE-83148-7
  - DISA-STIG-SLES-12-030450
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(1)
  - NIST-800-53-SC-8
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - PCI-DSSv4-2.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: Wicked Disable Wireless Network Interfaces
  lineinfile:
    path: /etc/sysconfig/network/ifcfg-{{ item }}
    regexp: ^STARTMODE=
    line: STARTMODE=off
  loop: '{{ ansible_facts.interfaces }}'
  when:
  - ansible_facts.services['wickedd.service'].state == 'running'
  - item.startswith("wl")
  tags:
  - CCE-83148-7
  - DISA-STIG-SLES-12-030450
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(1)
  - NIST-800-53-SC-8
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - PCI-DSSv4-2.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces

- name: NetworkManager Deactivate Wireless Network Interfaces
  command: nmcli radio wifi off
  when:
  - '''NetworkManager'' in ansible_facts.packages'
  - ansible_facts.services['NetworkManager.service'].state == 'running'
  tags:
  - CCE-83148-7
  - DISA-STIG-SLES-12-030450
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(1)
  - NIST-800-53-SC-8
  - PCI-DSS-Req-1.3.3
  - PCI-DSSv4-1.3.3
  - PCI-DSSv4-2.3
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy
  - wireless_disable_interfaces


zypper install -y "NetworkManager"

if command -v nmcli >/dev/null 2>&1 && systemctl is-active NetworkManager >/dev/null 2>&1; then
    nmcli radio all off
fi
if command -v wicked >/dev/null 2>&1 && systemctl is-active wickedd >/dev/null 2>&1; then
  if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
    interfaces=$(find /sys/class/net/*/wireless -type d -name wireless | xargs -0 dirname | xargs basename)
    for iface in $interfaces; do
      wicked ifdown $iface
      sed -i 's/STARTMODE=.*/STARTMODE=off/' /etc/sysconfig/network/ifcfg-$iface
    done
  fi
fi

Deactivate Wireless Network Interfaces

Description

Rationale

Remediation - Ansible

Remediation - Shell Script