-
Notifications
You must be signed in to change notification settings - Fork 710
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement firewall_single_service_active
New rule for checking that only one firewall service is active. Satisfies Ubuntu 24.04 CIS control 4.1.1
- Loading branch information
Showing
6 changed files
with
114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
linux_os/guide/system/network/firewall_single_service_active/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| <def-group> | ||
| <!-- Check that exactly one firewall service is active --> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| <metadata> | ||
| <title>Ensure Only One Firewall Service is Active</title> | ||
| <affected family="unix"> | ||
| <platform>multi_platform_all</platform> | ||
| </affected> | ||
| <description>Only one firewall service (ufw, iptables, or nftables) should be active.</description> | ||
| </metadata> | ||
| <criteria> | ||
| <criterion comment="exactly one firewall service is active" | ||
| test_ref="test_{{{ rule_id }}}_single_active_firewall"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <!-- Objects and states to identify active firewall services --> | ||
| <linux:systemdunitproperty_object id="obj_{{{ rule_id }}}_firewall_services" version="1" | ||
| comment="All active firewall services"> | ||
| <linux:unit operation="pattern match">^(ufw|iptables|nftables).service$</linux:unit> | ||
| <linux:property>ActiveState</linux:property> | ||
| <filter action="include">ste_{{{ rule_id }}}_firewall_services</filter> | ||
| </linux:systemdunitproperty_object> | ||
|
|
||
| <linux:systemdunitproperty_state id="ste_{{{ rule_id }}}_firewall_services" version="1"> | ||
| <linux:value>active</linux:value> | ||
| </linux:systemdunitproperty_state> | ||
|
|
||
| <!-- Count active firewall services --> | ||
| <local_variable id="var_{{{ rule_id }}}_firewall_active_count" datatype="int" version="1" | ||
| comment="Number of currently active firewall services"> | ||
| <count> | ||
| <regex_capture pattern="^active$"> | ||
| <object_component item_field="value" object_ref="obj_{{{ rule_id }}}_firewall_services"/> | ||
| </regex_capture> | ||
| </count> | ||
| </local_variable> | ||
|
|
||
| <!-- Test that count equals one --> | ||
| <ind:variable_test id="test_{{{ rule_id }}}_single_active_firewall" version="1" check="all" | ||
| comment="Verify exactly one firewall service is active"> | ||
| <ind:object object_ref="obj_{{{ rule_id }}}_count"/> | ||
| <ind:state state_ref="ste_{{{ rule_id }}}_count"/> | ||
| </ind:variable_test> | ||
|
|
||
| <ind:variable_object id="obj_{{{ rule_id }}}_count" version="1"> | ||
| <ind:var_ref>var_{{{ rule_id }}}_firewall_active_count</ind:var_ref> | ||
| </ind:variable_object> | ||
|
|
||
| <ind:variable_state id="ste_{{{ rule_id }}}_count" version="1"> | ||
| <ind:value operation="equals" datatype="int">1</ind:value> | ||
| </ind:variable_state> | ||
| </def-group> |
33 changes: 33 additions & 0 deletions
33
linux_os/guide/system/network/firewall_single_service_active/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| documentation_complete: true | ||
|
|
||
|
|
||
| title: 'Ensure Only One Firewall Service is Active' | ||
|
|
||
| description: |- | ||
| The system must have exactly one active firewall service running to avoid conflicts | ||
| and ensure consistent packet filtering. Only one of the following services should | ||
| be enabled and active at any time: | ||
| <ul> | ||
| <li>ufw - Uncomplicated Firewall (Ubuntu/Debian default)</li> | ||
| <li>iptables - Classic Linux firewall</li> | ||
| <li>nftables - Next Generation Firewall replacement for iptables</li> | ||
| </ul> | ||
| Having zero active firewalls leaves the system vulnerable, while having multiple | ||
| active firewalls can lead to rule conflicts and security gaps. | ||
| rationale: |- | ||
| Running multiple firewall services simultaneously can lead to conflicts in rule | ||
| processing, unpredictable behavior, and potential security gaps. A single | ||
| firewall service ensures consistent and predictable packet filtering. | ||
| Having no active firewall service leaves the system exposed to network-based | ||
| attacks and unauthorized access. | ||
| severity: medium | ||
|
|
||
| platform: machine | ||
|
|
||
| warnings: | ||
| - general: |- | ||
| This rule does not come with a remediation. There are specific rules | ||
| for enabling each firewall which should be enabled instead. |
10 changes: 10 additions & 0 deletions
10
linux_os/guide/system/network/firewall_single_service_active/tests/multiple.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!?bin/bash | ||
| # | ||
| # remediation = none | ||
|
|
||
| apt install -y iptables nftables ufw | ||
| systemctl stop iptables | ||
| systemctl stop nftables | ||
| systemctl stop ufw | ||
| systemctl start nftables | ||
| systemctl start ufw |
8 changes: 8 additions & 0 deletions
8
linux_os/guide/system/network/firewall_single_service_active/tests/none.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #!?bin/bash | ||
| # | ||
| # remediation = none | ||
|
|
||
| apt install -y iptables nftables ufw | ||
| systemctl stop iptables | ||
| systemctl stop nftables | ||
| systemctl stop ufw |
9 changes: 9 additions & 0 deletions
9
linux_os/guide/system/network/firewall_single_service_active/tests/single.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| #!?bin/bash | ||
| # | ||
| # remediation = none | ||
|
|
||
| apt install -y iptables nftables ufw | ||
| systemctl stop iptables | ||
| systemctl stop nftables | ||
| systemctl stop ufw | ||
| systemctl start ufw |