Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAS-133084 / 25.04 / Adjust SMB server configuration for GPOS STIG #15213

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

NAS-133084 / 25.04 / Adjust SMB server configuration for GPOS STIG #15213

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion src/middlewared/middlewared/plugins/smb.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,9 +162,17 @@ def generate_smb_configuration(self):
smb_shares = self.middleware.call_sync('sharing.smb.query')
bind_ip_choices = self.middleware.call_sync('smb.bindip_choices')
is_enterprise = self.middleware.call_sync('system.is_enterprise')
security_config = self.middleware.call_sync('system.security.config')

return generate_smb_conf_dict(
ds_type, ds_config, smb_config, smb_shares, bind_ip_choices, idmap_config, is_enterprise
ds_type,
ds_config,
smb_config,
smb_shares,
bind_ip_choices,
idmap_config,
is_enterprise,
security_config,
)

@api_method(SmbServiceBindIPChoicesArgs, SmbServiceBindIPChoicesResult)
Expand Down
11 changes: 10 additions & 1 deletion src/middlewared/middlewared/plugins/smb_/util_smbconf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,8 @@ def generate_smb_conf_dict(
smb_shares: list,
smb_bind_choices: dict,
idmap_settings: list,
is_enterprise: bool = False
is_enterprise: bool,
security_config: dict[str, bool]
):
guest_enabled = any(filter_list(smb_shares, [['guestok', '=', True]]))
fsrvp_enabled = any(filter_list(smb_shares, [['fsrvp', '=', True]]))
Expand Down Expand Up @@ -557,6 +558,14 @@ def generate_smb_conf_dict(
param, value = entry.split('=', 1)
smbconf[param.strip()] = value.strip()

# Ordering here is relevant. Do not permit smb_options to override required
# settings for the STIG.
if security_config['enable_gpos_stig']:
smbconf.update({
'client use kerberos': 'required',
'ntlm auth': 'disabled'
})

# The following parameters must come after processing includes in order to
# prevent auxiliary parameters from overriding them
smbconf.update({
Expand Down
60 changes: 36 additions & 24 deletions tests/unit/test_smb_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@
SMB_ENCRYPTION_NEGOTIATE = BASE_SMB_CONFIG | {'encryption': 'NEGOTIATE'}
SMB_ENCRYPTION_DESIRED = BASE_SMB_CONFIG | {'encryption': 'DESIRED'}
SMB_ENCRYPTION_REQUIRED = BASE_SMB_CONFIG | {'encryption': 'REQUIRED'}
SYSTEM_SECURITY_DEFAULT = {'id': 1, 'enable_fips': False, 'enable_gpos_stig': False}
SYSTEM_SECURITY_GPOS_STIG = {'id': 1, 'enable_fips': True, 'enable_gpos_stig': True}


BASE_SMB_SHARE = {
Expand Down Expand Up @@ -213,7 +215,7 @@
def test__base_smb():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['netbios name'] == 'TESTSERVER'
assert conf['netbios aliases'] == 'BOB LARRY'
Expand All @@ -238,7 +240,7 @@ def test__base_smb():
def test__base_smb_enterprise():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP, True
BIND_IP_CHOICES, BASE_IDMAP, True, SYSTEM_SECURITY_DEFAULT
)
assert conf['zfs_core:zfs_integrity_streams'] is True
assert conf['zfs_core:zfs_block_cloning'] is True
Expand All @@ -247,55 +249,55 @@ def test__base_smb_enterprise():
def test__syslog():
conf = generate_smb_conf_dict(
None, None, SMB_SYSLOG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['logging'] == ('syslog@1 file')


def test__localmaster():
conf = generate_smb_conf_dict(
None, None, SMB_LOCALMASTER, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['local master'] is True


def test__guestaccount():
conf = generate_smb_conf_dict(
None, None, SMB_GUEST, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['guest account'] == 'mike'


def test__bindip():
conf = generate_smb_conf_dict(
None, None, SMB_BINDIP, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert set(conf['interfaces'].split(' ')) == set(['192.168.0.250', '127.0.0.1'])


def test__ntlmv1auth():
conf = generate_smb_conf_dict(
None, None, SMB_NTLMV1, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['ntlm auth'] is True


def test__smb1_enable():
conf = generate_smb_conf_dict(
None, None, SMB_SMB1, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['server min protocol'] == 'NT1'


def test__smb_options():
conf = generate_smb_conf_dict(
None, None, SMB_OPTIONS, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['canary'] == 'bob'
assert conf['canary2'] == 'bob2'
Expand All @@ -304,15 +306,15 @@ def test__smb_options():
def test__multichannel():
conf = generate_smb_conf_dict(
None, None, SMB_MULTICHANNEL, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['server multichannel support'] is True


def test__homes_share():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [HOMES_SHARE],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert 'obey pam restrictions' in conf
assert conf['obey pam restrictions'] is True
Expand All @@ -321,15 +323,15 @@ def test__homes_share():
def test__guest_share():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [GUEST_SHARE],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['restrict anonymous'] == 0


def test__fsrvp_share():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [FSRVP_SHARE],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['rpc_daemon:fssd'] == 'fork'
assert conf['fss:prune stale'] is True
Expand All @@ -339,7 +341,7 @@ def test__ad_base():
conf = generate_smb_conf_dict(
DSType.AD, BASE_AD_CONFIG,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['realm'] == 'TESTDOMAIN.IXSYSTEMS.COM'
assert conf['winbind use default domain'] is False
Expand All @@ -359,7 +361,7 @@ def test__ad_homes_share():
conf = generate_smb_conf_dict(
DSType.AD, BASE_AD_CONFIG,
BASE_SMB_CONFIG, [HOMES_SHARE],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert 'obey pam restrictions' in conf
assert conf['obey pam restrictions'] is True
Expand All @@ -372,7 +374,7 @@ def test__ad_enumeration():
conf = generate_smb_conf_dict(
DSType.AD, DISABLE_ENUM,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['winbind enum users'] is False
assert conf['winbind enum groups'] is False
Expand All @@ -382,7 +384,7 @@ def test__ad_trusted_doms():
conf = generate_smb_conf_dict(
DSType.AD, TRUSTED_DOMS,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['allow trusted domains'] is True

Expand All @@ -391,7 +393,7 @@ def test__ad_default_domain():
conf = generate_smb_conf_dict(
DSType.AD, USE_DEFAULT_DOM,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['winbind use default domain'] is True

Expand All @@ -400,7 +402,7 @@ def test__ad_additional_domain():
conf = generate_smb_conf_dict(
DSType.AD, TRUSTED_DOMS,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP + [ADDITIONAL_DOMAIN]
BIND_IP_CHOICES, BASE_IDMAP + [ADDITIONAL_DOMAIN], False, SYSTEM_SECURITY_DEFAULT
)
assert conf['idmap config BOBDOM : backend'] == 'rid'
assert conf['idmap config BOBDOM : range'] == '200000001 - 300000000'
Expand All @@ -410,7 +412,8 @@ def test__ad_autorid():
conf = generate_smb_conf_dict(
DSType.AD, BASE_AD_CONFIG,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, [AUTORID_DOMAIN, BASE_IDMAP[1], BASE_IDMAP[2]]
BIND_IP_CHOICES, [AUTORID_DOMAIN, BASE_IDMAP[1], BASE_IDMAP[2]],
False, SYSTEM_SECURITY_DEFAULT
)
assert conf['idmap config * : backend'] == 'autorid'
assert conf['idmap config * : range'] == '10000 - 200000000'
Expand All @@ -419,23 +422,23 @@ def test__ad_autorid():
def test__encryption_negotiate():
conf = generate_smb_conf_dict(
None, None, SMB_ENCRYPTION_NEGOTIATE, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['server smb encrypt'] == 'if_required'


def test__encryption_desired():
conf = generate_smb_conf_dict(
None, None, SMB_ENCRYPTION_DESIRED, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['server smb encrypt'] == 'desired'


def test__encryption_required():
conf = generate_smb_conf_dict(
None, None, SMB_ENCRYPTION_REQUIRED, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['server smb encrypt'] == 'required'

Expand All @@ -444,7 +447,7 @@ def test__ipa_base():
conf = generate_smb_conf_dict(
DSType.IPA, BASE_IPA_CONFIG,
BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['workgroup'] == 'TN'
assert conf['server role'] == 'member server'
Expand All @@ -453,3 +456,12 @@ def test__ipa_base():
assert conf['realm'] == 'TESTDOM.TEST'
assert conf['idmap config TN : backend'] == 'sss'
assert conf['idmap config TN : range'] == '925000000 - 925199999'


def test__enable_stig():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [],
BIND_IP_CHOICES, BASE_IDMAP, True, SYSTEM_SECURITY_GPOS_STIG
)
assert conf['client use kerberos'] == 'required'
assert conf['ntlm auth'] == 'disabled'
Loading