Ensure a Table Exists for Nftables
An XCCDF Rule
Description
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.
warning alert: Warning
Adding rules to a running nftables can cause loss of connectivity to the system.
Rationale
Nftables doesn't have any default tables. Without a table being built, nftables will not filter network traffic. Note: adding rules to a running nftables can cause loss of connectivity to the system.
- ID
- xccdf_org.ssgproject.content_rule_set_nftables_table
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed; then
#Set nftables family name
var_nftables_family='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_family" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- low_complexity
- low_disruption