Configure Firewalld to Use the Nftables Backend

An XCCDF Rule

Description

Firewalld can be configured with many backends, such as nftables.

Rationale

Nftables is modern kernel module for controling network connections coming into a system. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.

ID: xccdf_org.ssgproject.content_rule_firewalld-backend
Severity: Medium
References: CCI-002385

SC-5

SRG-OS-000420-GPOS-00186

RHEL-08-040150

SV-230525r902735_rule

CCE-86506-3
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then

if [ -e "/etc/firewalld/firewalld.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf"else
    touch "/etc/firewalld/firewalld.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/firewalld/firewalld.conf"

cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak"
# Insert before the line matching the regex '^#\s*FirewallBackend'.
line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*FirewallBackend', insert at
    # the end of the file.
    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf"
    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
    tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf"
fi
# Clean up after ourselves.
rm "/etc/firewalld/firewalld.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86506-3
  - DISA-STIG-RHEL-08-040150  - NIST-800-53-SC-5
  - firewalld-backend
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Setting unquoted shell-style assignment of 'FirewallBackend' to 'nftables'
    in '/etc/firewalld/firewalld.conf'
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: ^\s*FirewallBackend=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/firewalld/firewalld.conf
    lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: ^\s*FirewallBackend=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/firewalld/firewalld.conf
    lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: ^\s*FirewallBackend=
      line: FirewallBackend=nftables
      state: present
      insertbefore: ^# FirewallBackend
      validate: /usr/bin/bash -n %s
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"firewalld" in ansible_facts.packages'
  tags:
  - CCE-86506-3
  - DISA-STIG-RHEL-08-040150
  - NIST-800-53-SC-5
  - firewalld-backend
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure Firewalld to Use the Nftables Backend

Description

Rationale

Remediation - Shell Script

Remediation - Ansible