Verify nftables Service is Enabled
An XCCDF Rule
Description
The nftables service allows for the loading of nftables rulesets during boot,
or starting on the nftables service
The nftables
service can be enabled with the following command:
$ sudo systemctl enable nftables.service
Rationale
The nftables service restores the nftables rules from the rules files referenced
in the /etc/sysconfig/nftables.conf
file during boot or the starting of
the nftables service
- ID
- xccdf_org.ssgproject.content_rule_service_nftables_enabled
- Severity
- Medium
- References
- Updated
Remediation - Puppet
include enable_nftables
class enable_nftables {
service {'nftables':
enable => true,
ensure => 'running',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'nftables.service'
"$SYSTEMCTL_EXEC" start 'nftables.service'
Remediation - OS Build Blueprint
[customizations.services]
enabled = ["nftables"]
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- enable_strategy
- low_complexity