From a9babe15e104fcc3183c085364d0edb09fbafa78 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Wed, 27 Nov 2024 16:30:40 +0100
Subject: [PATCH] Update ubuntu2404 CIS control 4.3.8

---
 controls/cis_ubuntu2404.yml                        |  5 ++---
 .../nftables_ensure_default_deny_policy/rule.yml   | 14 ++++++++++++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 3323ddee88f..521934ef424 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -1398,10 +1398,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - nftables_ensure_default_deny_policy
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/3.5.2.8.
+    status: automated
 
   - id: 4.3.9
     title: Ensure nftables service is enabled (Automated)
diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
index a08f633d25a..f4d780bdd5f 100644
--- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Ensure nftables Default Deny Firewall Policy'
 
 description: |-
@@ -9,12 +8,23 @@ description: |-
    the firewall will accept any packet that is not configured to be denied and the packet will
    continue traversing the network stack.
 
+   {% if 'ubuntu' in product %}
+   Run the following commands and verify that base chains contain a policy of DROP.
+   <pre>
+   $ nft list ruleset | grep 'hook input'
+   type filter hook input priority 0; policy drop;
+   $ nft list ruleset | grep 'hook forward'
+   type filter hook forward priority 0; policy drop;
+   $ nft list ruleset | grep 'hook output'
+   type filter hook output priority 0; policy drop;
+   </pre>
+
 rationale: |
    It is easier to allow acceptable usage than to block unacceptable usage.
 
 severity: medium
 
-platform: package[nftables] and service_disabled[firewalld]
+platform: package[nftables] and service_disabled[firewalld] and service_disabled[ufw]
 
 identifiers:
     cce@sle15: CCE-92507-3