New SLE 15 rule ensure_iptables_are_flushed

controls/cis_sle15.yml

@@ -1039,7 +1039,12 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: manual # rule is missing
+    status: manual 
+    notes: >- 
+       The control cannot be automated, 
+       and should be addressed manually. 
+    rules:
+      - ensure_iptables_are_flushed
 
   - id: 3.5.2.4
     title: Ensure a table exists (Automated)

linux_os/guide/system/network/network-iptables/ensure_iptables_are_flushed/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Ensure iptables are flushed'
+
+description: |-
+    nftables is a replacement for iptables, ip6tables, ebtables and arptables
+
+rationale: |-
+    It is possible to mix iptables and nftables. However, this increases complexity 
+    and also the chance to introduce errors. For simplicity flush out all iptables 
+    rules, and ensure it is not loaded.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-92523-0
+
+references:
+    cis@sle15: 3.5.2.3
+
+ocil_clause: 'Your system is configured to use nftables, but iptables rules exist on it'
+
+ocil: |-
+    To verify that on your system not iptables rules exist, and no rules will be returned 
+    run the following command:
+    <pre>$ sudo iptables -L</pre>
+    and/or to verify that on your system not ip6tables rules exist, and no rules will be 
+    returned run:
+    <pre>$ sudo ip6tables -L</pre>
+    To flush iptables run the following command:
+    <pre>$ sudo iptables -F</pre>
+    and/or to flush ip6tbales run:
+    <pre>$ sudo ip6tables -F</pre> 

shared/references/cce-sle15-avail.txt

@@ -43,7 +43,6 @@ CCE-92519-8
 CCE-92520-6
 CCE-92521-4
 CCE-92522-2
-CCE-92523-0
 CCE-92524-8
 CCE-92525-5
 CCE-92526-3