New SLE 15 rule set_nftables_base_chain

[rumch-se]

Description:

• _New SLE 15 rule which covers CIS requirement 3.5.2.5 Ensure base chains exist _

Rationale:

• At the moment CIS profile for SLE 15 does not include this rule

[openshift-ci]

Hi @rumch-se. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

sle15 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[rumch-se]

Hello @marcusburghardt
Thank you for your feedback.
I have done the proposed corrections.
Have a nice day
Rumen

[marcusburghardt]

This requirement is intentionally manual in CIS benchmark because both the check and remediation is complex since the requirement can be accomplished by different ways.

Including a very specific approach in remediation is too risky for the system stability. In cases of intentionally manual requirements for CIS, it should be fine to create an OVAL assessment intended help admins and auditors, but I noticed there is no OVAL for this rule.

Regarding the remediation, it should be indeed manual to avoid system disruptions. I can't see a feasible approach robust enough to safely avoid disruptions or undesired changes in intentional settings present in the system.

[rumch-se]

Hello @marcusburghardt
The proposed corrections were done.
In the ansible part - I have added a code which erase the file after the remediation.
Have a nice day
Rumen

[marcusburghardt]

Please, take a look in the failed CI tests. It seems they are legit.

[marcusburghardt]

Creating a script, executing it and finally removing it in Ansible is definitely weird. It is feasible to decompose everything in this remediation in order to use individual Ansible tasks. Please, avoid using this approach in Ansible when individual tasks are doable.

[rumch-se]

Hello @marcusburghardt
I have redesigned bash, and ansible parts of the rule.
Have a nice day
Rumen

[marcusburghardt]

Hello @marcusburghardt I have redesigned bash, and ansible parts of the rule. Have a nice day Rumen

Much better now @rumch-se . I left some other comments after the changes. Thanks

[rumch-se]

Hello @marcusburghardt
Most of the corrections were done. I did not combine type of chain(s) and policies in one variable. "input:accept,forward:accept,output:accept"
Have a nice day
Rumen

[rumch-se]

Hello @marcusburghardt,

I have updated bash and ansible remediation in the following way
Now I check if a table exist - if "yes" I add only these chains which are not exist as a part of the table. If "not" I create a table and add all chains to it. The ansible works in the same way because we can use the following syntax:
nft list table inet example_table - which display all chains and their rules in example_table

source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-creating_and_managing_nftables_tables_chains_and_rules

Have a nice day
Rumen

[marcusburghardt]

/packit retest-failed

[marcusburghardt]

@rumch-se this rule is almost ready. Thanks for the updates. I have some few comments in the Ansible. Also, it would be great if you include an SCE check for it. We can't currently check this requirement using OVAL, but using SCE it is possible and would be very useful.

[marcusburghardt]

Thanks for the updates in the Ansible remediation @rumch-se .
Regarding the check, do you plan to include a SCE check in this rule since an OVAL is not feasible?
It would be much more useful for users with a check.

[rumch-se]

Hello @marcusburghardt

Would it be possible to give me an example for SCE check, and I will adapt to this case?
Have a nice day
Rumen

[marcusburghardt]

Hello @marcusburghardt

Would it be possible to give me an example for SCE check, and I will adapt to this case? Have a nice day Rumen

Here are some examples in the Project:

• https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh
• https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/sce/shared.sh

[rumch-se]

Hello @marcusburghardt

I have added a SCE check

Have a nice day
Rumen

[marcusburghardt]

Hello @marcusburghardt

I have added a SCE check

Have a nice day Rumen

Thanks!
What about test scenario scripts? This makes the rule much easier to test.

[rumch-se]

Hello @marcusburghardt
I have added test scenario scripts.
Have a nice day
Rumen

[marcusburghardt]

Unfortunately the remediation is failing with some errors. Please, see my comments.

[rumch-se]

Hello @marcusburghardt
I do believe that via my last commit I am providing all corrections you are expecting on.
Have a nice day
Rumen

[marcusburghardt]

Thanks for the updates @rumch-se . I could test the remediations and check successfully. However, I had to update the default values in the variables. Please, see my comments about it. Also, there are some minor issues about the Ansible tasks names.

[rumch-se]

Hello @marcusburghardt
With my last commit I applied proposed changes
Have a nice day
Rumen

[marcusburghardt]

/packit build

[marcusburghardt]

LGTM now. Thanks @rumch-se

[marcusburghardt]

@teacup-on-rockingchair , could you take a look too, please?

[codeclimate]

Code Climate has analyzed commit fb379e6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4%.

View more on Code Climate.

[teacup-on-rockingchair]

Great contribution 👍