Ensure nftables Rules are Permanent

An XCCDF Rule

Description

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered.

Rationale

Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot

ID: xccdf_org.ssgproject.content_rule_nftables_rules_permanent
Severity: Medium
References: 3.5.2.10

CCE-92485-2
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if ( rpm --quiet -q nftables ); then

var_nftables_master_config_file='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_master_config_file" use="legacy"/>'

if [ ! -f "${var_nftables_master_config_file}" ]; then
    touch "${var_nftables_master_config_file}"
fi


grep -qxF 'include "/etc/nftables/bridge-filter"' "${var_nftables_master_config_file}" \
    || echo 'include "/etc/nftables/bridge-filter"' >> "${var_nftables_master_config_file}"

grep -qxF 'include "/etc/nftables/arp-filter"' "${var_nftables_master_config_file}" \
    || echo 'include "/etc/nftables/arp-filter"' >> "${var_nftables_master_config_file}"

grep -qxF 'include "/etc/nftables/inet-filter"' "${var_nftables_master_config_file}" \
    || echo 'include "/etc/nftables/inet-filter"' >> "${var_nftables_master_config_file}"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-92485-2
  - low_complexity  - low_disruption
  - medium_severity
  - nftables_rules_permanent
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_nftables_master_config_file # promote to variable
  set_fact:
    var_nftables_master_config_file: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_master_config_file" use="legacy"/>
  tags:
    - always

- name: Check the top-level configuration file exists
  ansible.builtin.stat:
    path: '{{ var_nftables_master_config_file }}'
  when: ( "nftables" in ansible_facts.packages )
  tags:
  - CCE-92485-2
  - low_complexity
  - low_disruption
  - medium_severity
  - nftables_rules_permanent
  - no_reboot_needed
  - restrict_strategy

- name: Check the  relevant file is included configuration
  ansible.builtin.lineinfile:
    path: '{{ var_nftables_master_config_file }}'
    line: include "/etc/nftables/{{ item }}-filter"
    create: true
  loop:
  - bridge
  - arp
  - inet
  when: ( "nftables" in ansible_facts.packages )
  tags:
  - CCE-92485-2
  - low_complexity
  - low_disruption
  - medium_severity
  - nftables_rules_permanent
  - no_reboot_needed
  - restrict_strategy

Ensure nftables Rules are Permanent

Description

Rationale

Remediation - Shell Script

Remediation - Ansible