From 8895f300175c2a35f2595cd5940541176a152fab Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Wed, 20 Nov 2024 14:41:31 +0100
Subject: [PATCH 1/3] Add new rule service_dnsmasq_disabled

---
 components/dnsmasq.yml                        |  1 +
 .../dns/service_dnsmasq_disabled/rule.yml     | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml

diff --git a/components/dnsmasq.yml b/components/dnsmasq.yml
index 836e9fd4367..1642ab79796 100644
--- a/components/dnsmasq.yml
+++ b/components/dnsmasq.yml
@@ -3,3 +3,4 @@ packages:
 - dnsmasq
 rules:
 - package_dnsmasq_removed
+- service_dnsmasq_disabled
diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
new file mode 100644
index 00000000000..3fc51bf93b1
--- /dev/null
+++ b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Disable dnsmasq Service'
+
+description: |-
+    {{{ describe_service_disable(service="dnsmasq") }}}
+
+rationale: |-
+    Unless a system is specifically designated to act as a DNS
+    caching, DNS forwarding and/or DHCP server, it is recommended
+    that the package be removed to reduce the potential attack surface.
+
+severity: medium
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: dnsmasq

From 8b19b7f63d85cf0e63be4a10cbcad3caf36ae372 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Wed, 20 Nov 2024 14:43:05 +0100
Subject: [PATCH 2/3] Update ubuntu2404 CIS control 2.1.5

---
 controls/cis_ubuntu2404.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 07869e17a53..8b79d175025 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -682,8 +682,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - package_dnsmasq_removed
+      - service_dnsmasq_disabled
+    status: automated
 
   - id: 2.1.6
     title: Ensure ftp server services are not in use (Automated)

From 5da830e7cd12fde7cf6328f0165a4ebf5b4dda1f Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Mon, 25 Nov 2024 08:49:05 +0100
Subject: [PATCH 3/3] Add service_dnsmasq_disabled to bind component

This fixes failing ctest 'components', with error:
`Rule 'service_dnsmasq_disabled' must be in component 'bind' because it's a member of 'dns' group.`
---
 components/bind.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/components/bind.yml b/components/bind.yml
index 28d0f2874e2..93a91983f01 100644
--- a/components/bind.yml
+++ b/components/bind.yml
@@ -18,3 +18,4 @@ rules:
 - package_bind_removed
 - package_dnsmasq_removed
 - service_named_disabled
+- service_dnsmasq_disabled