content
content copied to clipboard
ComplianceAsCode
Issue on check on firewall rules (Ubuntu 22-04 + UFW)
Description of problem:
CIS Ubuntu Linux 22.04 LTS Benchmark offers the option to use any of ufw, nftables or iptables, but if you choose to use ufw as your system firewall, all checks give incorrect results.
SCAP Security Guide Version:
master branch
Operating System Version:
Ubuntu 22.04 LTS
Steps to Reproduce:
- Apply CIS Ubuntu 22.04 Level 2 Server Benchmark choosing UFW as firewall
- Execute oscap:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server ssg-ubuntu2204-ds.xml
Actual Results:
Title Install nftables Package
Rule xccdf_org.ssgproject.content_rule_package_nftables_installed
Result pass
Title Verify nftables Service is Enabled
Rule xccdf_org.ssgproject.content_rule_service_nftables_enabled
Result fail
Title Ensure nftables Default Deny Firewall Policy
Rule xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy
Result notchecked
Title Ensure nftables Rules are Permanent
Rule xccdf_org.ssgproject.content_rule_nftables_rules_permanent
Result fail
Title Ensure Base Chains Exist for Nftables
Rule xccdf_org.ssgproject.content_rule_set_nftables_base_chain
Result notchecked
Title Set nftables Configuration for Loopback Traffic
Rule xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic
Result notchecked
Title Ensure a Table Exists for Nftables
Rule xccdf_org.ssgproject.content_rule_set_nftables_table
Result notchecked
Title Remove ufw Package
Rule xccdf_org.ssgproject.content_rule_package_ufw_removed
Result fail
Title Verify ufw Enabled
Rule xccdf_org.ssgproject.content_rule_service_ufw_enabled
Result pass
Title Ensure ufw Default Deny Firewall Policy
Rule xccdf_org.ssgproject.content_rule_set_ufw_default_rule
Result notchecked
Title Set UFW Loopback Traffic
Rule xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic
Result notchecked
Title Ensure ufw Firewall Rules Exist for All Open Ports
Rule xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports
Result notchecked
Expected Results:
Title Install nftables Package
Rule xccdf_org.ssgproject.content_rule_package_nftables_installed
Result notchecked
Title Verify nftables Service is Enabled
Rule xccdf_org.ssgproject.content_rule_service_nftables_enabled
Result notchecked
Title Ensure nftables Default Deny Firewall Policy
Rule xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy
Result notchecked
Title Ensure nftables Rules are Permanent
Rule xccdf_org.ssgproject.content_rule_nftables_rules_permanent
Result notchecked
Title Ensure Base Chains Exist for Nftables
Rule xccdf_org.ssgproject.content_rule_set_nftables_base_chain
Result notchecked
Title Set nftables Configuration for Loopback Traffic
Rule xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic
Result notchecked
Title Ensure a Table Exists for Nftables
Rule xccdf_org.ssgproject.content_rule_set_nftables_table
Result notchecked
Title Remove ufw Package
Rule xccdf_org.ssgproject.content_rule_package_ufw_removed
Result notchecked
Title Verify ufw Enabled
Rule xccdf_org.ssgproject.content_rule_service_ufw_enabled
Result pass
Title Ensure ufw Default Deny Firewall Policy
Rule xccdf_org.ssgproject.content_rule_set_ufw_default_rule
Result pass
Title Set UFW Loopback Traffic
Rule xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic
Result pass
Title Ensure ufw Firewall Rules Exist for All Open Ports
Rule xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports
Result pass
Additional Information/Debugging Steps:
PR #10812 Fixed checks on rhel-like using firewalld, but not on debian-like using Uncomplicated Firewall.
for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.
for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.
Hello! Could you please explain as to use a tailoring file?
Thanks
for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.
Hello! Could you please explain as to use a tailoring file?
Thanks
you can either use scap-workbench or use autotailor for more information see: https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#61-creating-tailoring-files
for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.
Hello! Could you please explain as to use a tailoring file? Thanks
you can either use scap-workbench or use autotailor for more information see: https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#61-creating-tailoring-files
Could you please guide me to do this writing a step-by-step procedure for dummies?
Thanks
for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.
Hello! Could you please explain as to use a tailoring file? Thanks
you can either use scap-workbench or use autotailor for more information see: https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#61-creating-tailoring-files
Could you please guide me to do this writing a step-by-step procedure for dummies?
Thanks
You will need to install openscap-utils in a newer release of ubuntu for that as the tool is only packaged in openscap 1.3.
Then you can:
$ autotailor --select package_ufw_installed --select service_nftables_disabled --select package_nftables_removed --unselect package_nftables_installed --unselect package_ufw_removed --output csl2.xml -p xccdf_org.ssgproject.content_profile_cis_level2_server_customized ssg-ubuntu2204-ds.xml xccdf_org.ssgproject.content_profile_cis_level2_server
That generates a csl2.xml file that you can use with oscap.
With that you can follow https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#using-tailoring-files