Verify Permissions On /etc/iptables Directory

An XCCDF Rule

Description

To properly set the permissions of /etc/iptables, run the command:

$ sudo chmod 0700 /etc/iptables

Rationale

Setting correct permissions on the /etc/iptables directory is important because this directory hosts iptables configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the iptables configuration.

ID: xccdf_org.ssgproject.content_rule_directory_permissions_etc_iptables
Severity: Medium
References: R50

CCE-86435-5
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86435-5
  - configure_strategy  - directory_permissions_etc_iptables
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: Find /etc/iptables/ file(s)
  command: 'find -H /etc/iptables/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt  -type d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"iptables" in ansible_facts.packages'
  tags:
  - CCE-86435-5
  - configure_strategy
  - directory_permissions_etc_iptables
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /etc/iptables/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-xwrs,o-xwrt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"iptables" in ansible_facts.packages'
  tags:
  - CCE-86435-5
  - configure_strategy
  - directory_permissions_etc_iptables
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q iptables; then
find -H /etc/iptables/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions On /etc/iptables Directory

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script