Merge pull request #10249 from teacup-on-rockingchair/sle_add_nftable…

…s_ensure_default_deny_policy

SLE15 add nftables ensure default deny policy

controls/cis_sle15.yml

@@ -1123,7 +1123,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: manual # rule is missing
+    status: automated
+    rules:
+      - var_nftables_master_config_file=sysconfig
+      - nftables_ensure_default_deny_policy
 
   - id: 3.5.2.9
     title: Ensure nftables service is enabled (Automated)
@@ -1141,7 +1144,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - var_nftable_master_config_file=sysconfig
+      - var_nftables_master_config_file=sysconfig
       - nftables_rules_permanent
 
   - id: 3.5.3.1.1

linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml

@@ -0,0 +1,66 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Make sure that there is permanent nftables configuration is configured
+    with default chains policy drop") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_{{{ rule_id }}}_file"
+                 comment="Check the existence of top level nftables configuration file" />
+      <criterion test_ref="test_{{{ rule_id }}}_include_chains_policy"
+                 comment="Check the contents of configuration files for default chains policy"/>
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_file"
+  comment="Check top level configuration file is named as expected"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_file" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_file" version="1">
+    <ind:filepath operation="equals" var_ref="var_nftables_master_config_file"/>
+    <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <external_variable comment="file path" datatype="string"
+                     id="var_nftables_master_config_file" version="1"/>
+  <local_variable id="var_{{{ rule_id }}}_families_config_paths" datatype="string" version="1"
+                  comment="File paths of all needed families part of the permanent configuration">
+    <unique>
+      <glob_to_regex>
+        <object_component item_field="subexpression" object_ref="object_{{{ rule_id }}}_file" />
+      </glob_to_regex>
+    </unique>
+  </local_variable>
+
+    <local_variable id="var_{{{ rule_id }}}_include_chains_configurations" datatype="string" version="1"
+                  comment="Chain configuration statements">
+    <unique>
+      <glob_to_regex>
+        <object_component item_field="subexpression" object_ref="object_{{{ rule_id }}}_include_chains_policy" />
+      </glob_to_regex>
+    </unique>
+  </local_variable>
+
+  <ind:variable_object id="object_var_{{{ rule_id }}}_include_chains_configurations" version="1">
+    <ind:var_ref>var_{{{ rule_id }}}_include_chains_configurations</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_include_chains_policy" version="1">
+    <ind:filepath operation="pattern match" var_check="at least one"
+                  var_ref="var_{{{ rule_id }}}_families_config_paths"/>
+    <ind:pattern operation="pattern match"
+                 >\s*chain\s*\w*\s*\{([^\}]*)\}</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:variable_state id="state_{{{ rule_id }}}_include_chains_policy"
+                               comment="policy should be drop" version="1">
+   <ind:value datatype="string" operation="pattern match">\;\s*policy drop\s*\;</ind:value>
+  </ind:variable_state>
+
+  <ind:variable_test id="test_{{{ rule_id }}}_include_chains_policy" check="all"
+                              check_existence="all_exist" version="1"
+                              comment="Check configuration files for default chains policy">
+    <ind:object object_ref="object_var_{{{ rule_id }}}_include_chains_configurations" />
+    <ind:state state_ref="state_{{{ rule_id }}}_include_chains_policy" />
+
+  </ind:variable_test>
+</def-group>

linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml

@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Ensure nftables Default Deny Firewall Policy'
+
+description: |-
+   Base chain policy is the default verdict that will be applied to packets reaching the end of
+   the chain. There are two policies: accept (Default) and drop. If the policy is set to accept,
+   the firewall will accept any packet that is not configured to be denied and the packet will
+   continue traversing the network stack.
+
+rationale: |-
+   It is easier to allow acceptable usage than to block unacceptable usage.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-92507-3
+
+references:
+    cis@sle15: 3.5.2.8
+
+ocil_clause: 'default policy is not set for nftables rules'
+
+warnings:
+   - general: |-
+       Changing firewall settings while connected over network can result in being locked out
+       of the system.
+
+ocil: |-
+    Run the following commands and verify that base chains policy is <tt>drop</tt>:
+    <pre>$ sudo nft list ruleset | grep 'hook input' </pre>
+    Output should include a list of nftables similar to:
+    <tt>type filter hook input priority 0; policy drop; </tt>
+    Same goes not only for <tt>hook input</tt>, but also <tt>output</tt> and <tt>forward</tt>

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/ansible/sle15.yml

@@ -3,15 +3,15 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-{{{ ansible_instantiate_variables("var_nftable_master_config_file") }}}
+{{{ ansible_instantiate_variables("var_nftables_master_config_file") }}}
 
 - name: Check the top-level configuration file exists
   ansible.builtin.stat:
-    path: "{{ var_nftable_master_config_file }}"
+    path: "{{ var_nftables_master_config_file }}"
 
 - name: Check the {{{ family }}} relevant file is included configuration
   ansible.builtin.lineinfile:
-    path: "{{ var_nftable_master_config_file }}"
+    path: "{{ var_nftables_master_config_file }}"
     line: 'include "/etc/nftables/{{ item }}-filter"'
     create: yes
   loop:

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/sle15.sh

@@ -6,13 +6,13 @@
 
 {{% set nftables_family_names = ['bridge', 'arp', 'inet'] %}}
 
-{{{ bash_instantiate_variables("var_nftable_master_config_file") }}}
+{{{ bash_instantiate_variables("var_nftables_master_config_file") }}}
 
-if [ ! -f "${var_nftable_master_config_file}" ]; then
-    touch "${var_nftable_master_config_file}"
+if [ ! -f "${var_nftables_master_config_file}" ]; then
+    touch "${var_nftables_master_config_file}"
 fi
 
 {{% for family in nftables_family_names %}}
-grep -qxF 'include "/etc/nftables/{{{ family }}}-filter"' "${var_nftable_master_config_file}" \
-    || echo 'include "/etc/nftables/{{{ family }}}-filter"' >> "${var_nftable_master_config_file}"
+grep -qxF 'include "/etc/nftables/{{{ family }}}-filter"' "${var_nftables_master_config_file}" \
+    || echo 'include "/etc/nftables/{{{ family }}}-filter"' >> "${var_nftables_master_config_file}"
 {{% endfor %}}

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/sle15.xml

@@ -36,12 +36,12 @@
   </local_variable>
 {{% endfor %}}
   <ind:textfilecontent54_object id="object_{{{ rule_id }}}_file" version="1">
-    <ind:filepath operation="equals" var_ref="var_nftable_master_config_file"/>
+    <ind:filepath operation="equals" var_ref="var_nftables_master_config_file"/>
     <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   <external_variable comment="file path" datatype="string"
-                     id="var_nftable_master_config_file" version="1"/>
+                     id="var_nftables_master_config_file" version="1"/>
   <local_variable id="var_{{{ rule_id }}}_families_config_paths" datatype="string" version="1"
     comment="File paths of all needed families part of the permanent configuration">
     <object_component item_field="subexpression" object_ref="object_{{{ rule_id }}}_file" />

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml

@@ -2,12 +2,12 @@ documentation_complete: true
 
 prodtype: sle15
 
-title: 'Ensure nftables rules are permanent'
+title: 'Ensure nftables Rules are Permanent'
 
 description: |-
     nftables is a subsystem of the Linux kernel providing filtering and classification of
     network packets/datagrams/frames. The nftables service reads the
-    {{{ xccdf_value("var_nftable_master_config_file") }}} file for a nftables file or files to
+    {{{ xccdf_value("var_nftables_master_config_file") }}} file for a nftables file or files to
     include in the nftables ruleset. A nftables ruleset containing the input, forward, and output
     base chains allow network traffic to be filtered.
 
@@ -31,18 +31,18 @@ ocil: |-
     Run the following command to verify the input base chain:
     <pre>
     # awk '/hook input/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' \
-    {{{ xccdf_value("var_nftable_master_config_file") }}})
+    {{{ xccdf_value("var_nftables_master_config_file") }}})
     </pre>
     or for forward base chain:
     <pre>
     # awk '/hook forward/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' \
-    {{{ xccdf_value("var_nftable_master_config_file") }}})
+    {{{ xccdf_value("var_nftables_master_config_file") }}})
     </pre>
     Review the base chains to ensure that they follow local site policy
 
 fixtext: |-
-    Edit the {{{ xccdf_value("var_nftable_master_config_file") }}} file and un-comment or add
+    Edit the {{{ xccdf_value("var_nftables_master_config_file") }}} file and un-comment or add
     a line with include absolute path to nftables rules file for each nftables file you want
     included in the nftables ruleset on boot.
-    For example the  {{{ xccdf_value("var_nftable_master_config_file") }}} should contain
+    For example the  {{{ xccdf_value("var_nftables_master_config_file") }}} should contain
     <pre>include "/etc/nftables/nftables.rules"</pre>

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/tests/invalid_top_level_config_file.fail.sh

@@ -1,4 +1,4 @@
-# variables = var_nftable_master_config_file=/etc/sysconfig/nftables.conf
+# variables = var_nftables_master_config_file=/etc/sysconfig/nftables.conf
 
 # make sure that variable is set correctly on new platform adding
 echo 'include /some/invalid/path' > "/etc/sysconfig/nftables.conf"

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/tests/no_top_level_config_file.fail.sh

@@ -1,3 +1,3 @@
-# variables = var_nftable_master_config_file=/etc/sysconfig/nftables.conf
+# variables = var_nftables_master_config_file=/etc/sysconfig/nftables.conf
 
 rm "/etc/sysconfig/nftables.conf"

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/tests/valid_top_level_config_file.pass.sh

@@ -1,4 +1,4 @@
-# variables = var_nftable_master_config_file=/etc/sysconfig/nftables.conf
+# variables = var_nftables_master_config_file=/etc/sysconfig/nftables.conf
 {{% set nftables_family_names = ['bridge', 'arp', 'inet'] %}}
 
 # make sure file starts from empty

shared/references/cce-sle15-avail.txt

@@ -16,7 +16,6 @@ CCE-92501-6
 CCE-92503-2
 CCE-92505-7
 CCE-92506-5
-CCE-92507-3
 CCE-92508-1
 CCE-92509-9
 CCE-92510-7