ComplianceAsCode · Mab879 · Jan 25, 2023 · Jan 23, 2023 · Jan 23, 2023 · Jan 23, 2023
diff --git a/...ide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/...ide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
@@ -23,8 +23,6 @@ references:
     cis@rhel8: 3.4.3.2.6
     cis@sle12: 3.5.1.1
     cis@sle15: 3.5.3.1.1
-    cis@ubuntu2004: 3.5.3.1.1
-    cis@ubuntu2204: 3.5.3.1.1
     cobit5: APO01.06,APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
     isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'

diff --git a/...network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml b/...network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
 
 - name: Check if IPv6 is enabled
   command: sysctl -n net.ipv6.conf.all.disable_ipv6

diff --git a/...tem/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh b/...tem/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
 
 if [ "$(sysctl -n net.ipv6.conf.all.disable_ipv6)" -eq 0 ]; then
   # IPv6 is not disabled, so run the script

diff --git a/...de/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/...de/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
@@ -22,7 +22,9 @@ identifiers:
 
 references:
     cis@sle12: 3.5.3.1
-    cis@sle15: 3.5.3.3.2 
+    cis@sle15: 3.5.3.3.2
+    cis@ubuntu2004: 3.5.3.3.2
+    cis@ubuntu2204: 3.5.3.3.2
     pcidss: Req-1.4.1
 
 warnings:

diff --git a/...stem/network/network-iptables/iptables_activation/set_loopback_traffic/ansible/shared.yml b/...stem/network/network-iptables/iptables_activation/set_loopback_traffic/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
 
 - name: Allow incoming traffic on the loopback interface
   ansible.builtin.iptables:

diff --git a/...e/system/network/network-iptables/iptables_activation/set_loopback_traffic/bash/shared.sh b/...e/system/network/network-iptables/iptables_activation/set_loopback_traffic/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
 
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

diff --git a/...s/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/...s/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml
@@ -1,19 +1,19 @@
 documentation_complete: true
 
-title: 'Set configuration for loopback traffic' 
+title: 'Set configuration for loopback traffic'
 
 description: |-
-    Configure the loopback interface to accept traffic. 
-    Configure all other interfaces to deny traffic to the loopback 
+    Configure the loopback interface to accept traffic.
+    Configure all other interfaces to deny traffic to the loopback
     network.
 
 rationale: |-
-    Loopback traffic is generated between processes on machine and is 
-    typically critical to operation of the system. The loopback interface 
-    is the only place that loopback network traffic should be seen, all 
+    Loopback traffic is generated between processes on machine and is
+    typically critical to operation of the system. The loopback interface
+    is the only place that loopback network traffic should be seen, all
     other interfaces should ignore traffic on this network as an
     anti-spoofing measure.
-   
+
 severity: medium
 
 identifiers:
@@ -23,21 +23,24 @@ identifiers:
 references:
     cis@sle12: 3.5.2.1
     cis@sle15: 3.5.2.6,3.5.3.2.2
+    cis@ubuntu2204: 3.5.3.2.2
     pcidss: Req-1.4.1
 
 warnings:
     - general: |-
-        Changing firewall settings while connected over network can 
+        Changing firewall settings while connected over network can
         result in being locked out of the system.
 
 ocil_clause: 'loopback traffic is not configured'
 
 ocil: |-
-    Verify that the loopback interface is configured:
+    Run the following commands and verify output:
+    <pre>
+    # iptables -L INPUT -v -n | grep lo | grep ACCEPT
+    </pre>
     <pre>
-    # nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
+    # iptables -L INPUT -v -n | grep 127.0.0.0\/8 | grep DROP
     </pre>
-    If IPv6 is enabled, verify that the IPv6 loopback interface is configured:
     <pre>
-    # nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
+    # iptables -L OUTPUT -v -n | grep lo | grep ACCEPT
     </pre>
diff --git a/...x_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml b/...x_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: ubuntu2004,ubuntu2204
+
+title: 'Install iptables-persistent Package'
+
+description: |-
+    {{{ describe_package_install(package="iptables-persistent") }}}
+
+rationale: |-
+    A method of configuring and maintaining firewall rules is
+    necessary to configure a Host Based Firewall.
+
+severity: medium
+
+references:
+    cis@ubuntu2004: 3.5.3.1.1
+    cis@ubuntu2204: 3.5.3.1.1
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="iptables-persistent") }}}'
+
+template:
+    name: package_installed
+    vars:
+        pkgname: iptables-persistent
+
+fixtext: |-
+    {{{ describe_package_install(package="iptables-persistent") }}}
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: ubuntu2004,ubuntu2204
+
+title: 'Remove iptables-persistent Package'
+
+description: |-
+    {{{ describe_package_remove(package="iptables-persistent") }}}
+
+rationale: |-
+    Running both <tt>ufw</tt> and the services included in the
+    <tt>iptables-persistent</tt> package may lead to conflict.
+
+severity: medium
+
+references:
+    cis@ubuntu2004: 3.5.1.2
+    cis@ubuntu2204: 3.5.1.2
+
+ocil_clause: 'the package is installed'
+
+ocil: '{{{ ocil_package(package="iptables-persistent") }}}'
+
+template:
+    name: package_removed
+    vars:
+        pkgname: iptables-persisten
+
+fixtext: |-
+    {{{ describe_package_remove(package="iptables-persistent") }}}
diff --git a/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml b/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: ubuntu2004,ubuntu2204
+
+title: 'Remove ufw Package'
+
+description: |-
+    {{{ describe_package_remove(package="ufw") }}}
+
+rationale: |-
+    Running <tt>iptables.persistent</tt> with <tt>ufw</tt> enabled may lead
+    to conflict and unexpected results.
+
+severity: medium
+
+references:
+    cis@ubuntu2004: 3.5.2.2
+    cis@ubuntu2204: 3.5.3.1.3
+
+ocil_clause: 'the package is installed'
+
+ocil: '{{{ ocil_package(package="ufw") }}}'
+
+template:
+    name: package_removed
+    vars:
+        pkgname: ufw
+
+fixtext: |-
+    {{{ describe_package_remove(package="ufw") }}}
@@ -380,7 +380,7 @@ selections:
     # Needs rule
 
     #### 3.5.1.2 Ensure iptables-persistent is not installed (Automated)
-    # Needs rule
+    - package_iptables-persistent_removed
 
     #### 3.5.1.3 Ensure ufw service is enabled (Automated)
     # Needs rule
@@ -402,7 +402,7 @@ selections:
     - package_nftables_installed
 
     #### 3.5.2.2 Ensure Uncomplicated Firewall is not installed or disabled (Automated)
-    # Needs rule
+    - package_ufw_removed
 
     #### 3.5.2.3 Ensure iptables are flushed (Manual)
     # Skip due to being a manual test
@@ -432,21 +432,21 @@ selections:
     #### 3.5.3.1 Configure software ####
     ##### 3.5.3.1.1 Ensure iptables packages are installed (Automated)
     - package_iptables_installed
-    - service_iptables_enabled
+    - package_iptables-persistent_installed
 
     ###### 3.5.3.1.2 Ensure nftables is not installed (Automated)
     - service_nftables_disabled
     - package_nftables_removed
 
     ###### 3.5.3.1.3 Ensure Uncomplicated Firewall is not installed or disabled (Automated)
-    # - package_ufw_removed # (Duplicate of above)
+    - package_ufw_removed
 
     #### 3.5.3.2 Configure IPv4 iptables ####
     ###### 3.5.3.2.1 Ensure default deny firewall policy (Automated)
     - set_iptables_default_rule
 
     ###### 3.5.3.2.2 Ensure loopback traffic is configured (Automated)
-    # Needs rules
+    - set_loopback_traffic
 
     ##### 3.5.3.2.3 Ensure outbound and established connections are configured (Manual)
     # Skip due to being a manual test
@@ -459,7 +459,7 @@ selections:
     - set_ip6tables_default_rule
 
     # 3.5.3.3.2 Ensure IPv6 loopback traffic is configured (Automated)
-    # Needs rules
+    - set_ipv6_loopback_traffic
 
     # 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured (Manual)
     # Skip due to being a manual test

@@ -411,7 +411,7 @@ selections:
     - package_ufw_installed
 
     #### 3.5.1.2 Ensure iptables-persistent is not installed with ufw (Automated)
-    # NEEDS RULE
+    - package_iptables-persistent_removed
 
     #### 3.5.1.3 Ensure ufw service is enabled (Automated)
     - service_ufw_enabled
@@ -433,7 +433,7 @@ selections:
     - package_nftables_installed
 
     #### 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables (Automated)
-    # NEEDS RULE
+    - package_ufw_removed
 
     #### 3.5.2.3 Ensure iptables are flushed with nftables (Manual)
     # Skip due to being a manual test
@@ -463,20 +463,21 @@ selections:
     #### 3.5.3.1 Configure iptables software ####
     ##### 3.5.3.1.1 Ensure iptables packages are installed (Automated)
     - package_iptables_installed
+    - package_iptables-persistent_installed
 
     ###### 3.5.3.1.2 Ensure nftables is not installed with iptables (Automated)
     - service_nftables_disabled
     - packages_nftables_removed
 
     ###### 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables (Automated)
-    # NEEDS RULE
+    - package_ufw_removed
 
     #### 3.5.3.2 Configure IPv4 iptables ####
     ##### 3.5.3.2.1 Ensure iptables default deny firewall policy (Automated)
-    # NEEDS RULE
+    - set_iptables_default_rule
 
     ##### 3.5.3.2.2 Ensure iptables loopback traffic is configured (Automated)
-    # NEEDS RULE
+    - set_loopback_traffic
 
     ##### 3.5.3.2.3 Ensure iptables outbound and established connections are configured (Manual)
     # Skip due to being a manual test
@@ -486,10 +487,10 @@ selections:
 
     #### 3.5.3.3 Configure IPv6 ip6tables ####
     ##### 3.5.3.3.1 Ensure ip6tables default deny firewall policy (Automated)
-    # NEEDS RULE
+    - set_ip6tables_default_rule
 
     # 3.5.3.3.2 Ensure ip6tables loopback traffic is configured (Automated)
-    # NEEDS RULE
+    - set_ipv6_loopback_traffic
 
     # 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured (Manual)
     # Skip due to being a manual test