Ensure a Table Exists for Nftables

An XCCDF Rule

Description

Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.

warning alert: Warning

Adding or editing rules in a running nftables can cause loss of connectivity to the system.

warning alert: Warning

Both the SCE check and remediation for this rule only consider runtime settings. There is no specific file to check as it depends on each site's policy. Therefore, check and remediation use the nft command directly. The fix is not persistent across system reboots.

warning alert: Functionality Warning

SCE check does not support variables, therefore the SCE check in this rule only checks the address family, regardless of the table name.

Rationale

Nftables doesn't have any default tables. Without a table being built, nftables will not filter network traffic.

ID: xccdf_org.ssgproject.content_rule_set_nftables_table
Severity: Medium
References: 3.5.2.4

CCE-92569-3
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-92569-3
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - set_nftables_table
- name: XCCDF Value var_nftables_family # promote to variable
  set_fact:
    var_nftables_family: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_family" use="legacy"/>
  tags:
    - always
- name: XCCDF Value var_nftables_table # promote to variable
  set_fact:
    var_nftables_table: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_table" use="legacy"/>
  tags:
    - always

- name: Collect Existing Nftables
  ansible.builtin.command: nft list table {{ var_nftables_family }} {{ var_nftables_table
    }}
  register: result_nftables_table_family
  changed_when: false
  failed_when: result_nftables_table_family.rc not in [0, 1]
  when: '"nftables" in ansible_facts.packages'
  tags:
  - CCE-92569-3
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - set_nftables_table

- name: Set Nftable Table
  ansible.builtin.command: nft create table {{ var_nftables_family }} {{ var_nftables_table
    }}
  when:
  - '"nftables" in ansible_facts.packages'
  - result_nftables_table_family is not skipped
  - result_nftables_table_family.rc != 0
  tags:
  - CCE-92569-3
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - set_nftables_table

# Remediation is applicable only in certain platforms
if rpm --quiet -q nftables; then

var_nftables_family='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_family" use="legacy"/>'

var_nftables_table='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_table" use="legacy"/>'

if ! nft list table $var_nftables_family $var_nftables_table; then
  nft create table "$var_nftables_family" "$var_nftables_table"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure a Table Exists for Nftables

Description

Rationale

Remediation - Ansible

Remediation - Shell Script