Merge pull request ComplianceAsCode#11134 from dodys/nftables

Ubuntu: Add missing nftables variables and improve remediation and checks
rumch-se · Sep 27, 2023 · 86f6761 · 86f6761
2 parents c1b0203 + bea5920
commit 86f6761
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 46 deletions.
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
@@ -0,0 +1,18 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = high
+
+{{{ bash_instantiate_variables("var_nftables_master_config_file") }}}
+
+{{{ bash_instantiate_variables("var_nftables_family") }}}
+
+if [ ! -f "${var_nftables_master_config_file}" ]; then
+    touch "${var_nftables_master_config_file}"
+fi
+
+nft list ruleset > "/etc/${var_nftables_family}-filter.rules"
+
+grep -qxF 'include "/etc/'"${var_nftables_family}"'-filter.rules"' "${var_nftables_master_config_file}" \
+    || echo 'include "/etc/'"${var_nftables_family}"'-filter.rules"' >> "${var_nftables_master_config_file}"
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml
@@ -0,0 +1,43 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Make sure that there is permanent nftables configuration file used
+          to save and re-apply rules on reboot") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_etc_nftables_conf_file"
+          comment="/etc/nftables.conf exists and include entry present" />
+      <criterion test_ref="test_etc_nftables_conf_include_file_exists"
+          comment="Check if file in include entry exists and not empty" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_etc_nftables_conf_file"
+      comment="Check the existence of /etc/nftables.conf file"
+      check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_etc_nftables_conf_file" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="test_etc_nftables_conf_include_file_exists"
+      comment="Check if file in include entry exists in system"
+      check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_etc_nftables_conf_include_file_exists" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_etc_nftables_conf_file" version="1">
+    <ind:filepath operation="equals" var_ref="var_nftables_master_config_file"/>
+    <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_etc_nftables_conf_include_file_exists" version="1">
+    <ind:filepath operation="equals" var_ref="var_include_entry_config_path"/>
+    <ind:pattern operation="pattern match">^.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <external_variable comment="file path" datatype="string"
+                     id="var_nftables_master_config_file" version="1"/>
+
+  <local_variable id="var_include_entry_config_path" datatype="string" version="1"
+    comment="File path of the include entry in nftables configuration">
+    <object_component item_field="subexpression" object_ref="object_etc_nftables_conf_file" />
+  </local_variable>
+</def-group>
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/sce/ubuntu.sh b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/sce/ubuntu.sh
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/sce/shared.sh b/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/sce/shared.sh
@@ -4,9 +4,9 @@
 
 output=$(nft list ruleset)
 # Check if there are base chains
-if ! (grep -q 'hook input' "$output" &&\
-    grep -q 'hook forward' "$output" &&\
-    grep -q 'hook output' "$output"); then
+if ! (echo "$output" | grep -q 'hook input' &&\
+    echo "$output" | grep -q 'hook forward' &&\
+    echo "$output" |grep -q 'hook output'); then
     exit "${XCCDF_RESULT_FAIL}"
 fi
 

diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/bash/shared.sh b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/bash/shared.sh
@@ -1,22 +1,32 @@
 # platform = multi_platform_all
 
+{{% if "ubuntu" in product %}}
+{{{ bash_instantiate_variables("var_nftables_family") }}}
+{{% endif %}}
+
+grubfile="{{{ grub2_boot_path }}}/grub.cfg"
+
 # Implement the loopback rules:
 nft add rule inet filter input iif lo accept
 nft insert rule inet filter input ip saddr 127.0.0.0/8 counter drop
 
 # Check IPv6 is disabled, if false implement IPv6 loopback rules
-[ -n "$passing" ] && passing=""
-[ -z "$(grep "^\s*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ] && passing="true"
+disabled="false"
+[ -f "$grubfile" ] && ! grep "^\s*linux" "$grubfile" | grep -vq "ipv6.disable=1" && disabled="true"
 
 grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \
 /etc/sysctl.conf /etc/sysctl.d/*.conf && \
 grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \
 /etc/sysctl.conf /etc/sysctl.d/*.conf && sysctl net.ipv6.conf.all.disable_ipv6 | \
 grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && \
 sysctl net.ipv6.conf.default.disable_ipv6 | \
-grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && passing="true"
+grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && disabled="true"
 
 # Is IPv6 Disabled? (true/false)
-if [ "$passing" = false ] ; then
+if [ "$disabled" = false ] ; then
     nft add rule inet filter input ip6 saddr ::1 counter drop
 fi
+
+{{% if "ubuntu" in product %}}
+nft list ruleset > "/etc/${var_nftables_family}-filter.rules"
+{{% endif %}}
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/sce/ubuntu.sh b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/sce/ubuntu.sh
@@ -3,16 +3,16 @@
 # check-import = stdout
 
 output=$(nft list ruleset | awk '/hook input/,/}/')
-if ! grep 'iif "lo" accept' "$output"; then
+if ! echo "$output" | grep -q 'iif "lo" accept'; then
     exit "${XCCDF_RESULT_FAIL}"
 fi
 
-if ! grep 'ip saddr' "$output"; then
+if ! echo "$output" | grep -q 'ip saddr'; then
     exit "${XCCDF_RESULT_FAIL}"
 fi
 
 if [ -e /proc/sys/net/ipv6/conf/all/disable_ipv6 ] && [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" -eq 0 ]; then
-    if ! grep 'ip6 saddr' "$output"; then
+    if ! echo "$output" | grep -q 'ip6 saddr'; then
         exit "${XCCDF_RESULT_FAIL}"
     fi
 fi

diff --git a/products/ubuntu2004/profiles/cis_level1_server.profile b/products/ubuntu2004/profiles/cis_level1_server.profile
@@ -416,6 +416,10 @@ selections:
     - set_nftables_table
 
     #### 3.5.2.5 Ensure base chains exist (Automated)
+    - var_nftables_base_chain_names=chain_names
+    - var_nftables_base_chain_types=chain_types
+    - var_nftables_base_chain_hooks=chain_hooks
+    - var_nftables_base_chain_priorities=chain_priorities
     - set_nftables_base_chain
 
     #### 3.5.2.6 Ensure loopback traffic is configured (Automated)

diff --git a/products/ubuntu2204/profiles/cis_level1_server.profile b/products/ubuntu2204/profiles/cis_level1_server.profile
@@ -449,6 +449,10 @@ selections:
     - set_nftables_table
 
     #### 3.5.2.5 Ensure nftables base chains exist (Automated)
+    - var_nftables_base_chain_names=chain_names
+    - var_nftables_base_chain_types=chain_types
+    - var_nftables_base_chain_hooks=chain_hooks
+    - var_nftables_base_chain_priorities=chain_priorities
     - set_nftables_base_chain
 
     #### 3.5.2.6 Ensure nftables loopback traffic is configured (Automated)