CCE-95493-3Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2021-03-05 (M)2023-07-04 |
Description:
nftables is a subsystem of the Linux kernel providing filtering and classification of network
packets/datagrams/frames.
The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or
files to include in the nftables ruleset.
A nftables ruleset containing the input, forward, and output base chains allow network
traffic to be filtered.
Rationale:
Changes made to nftables ruleset only affect the live system, you will also need to configure
the nftables ruleset to apply on boot
Audit:
Run the following commands to verify that input, forward, and output base chains are
configured to be applied to a nftables ruleset on boot:
Run the following command to verify the input base chain:
# awk '/hook input/,/}/' $(awk '$1 ~ /^s*include/ { gsub(""","",$2);print
$2 }' /etc/sysconfig/nftables.conf)
Output should be similar to:
type filter hook input priority 0; policy drop;
# Ensure loopback traffic is configured
iif "lo" accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
ip6 saddr ::1 counter packets 0 bytes 0 drop
# Ensure established connections are configured
ip protocol tcp ct state established accept
ip protocol udp ct state established accept
ip protocol icmp ct state established accept
# Accept port 22(SSH) traffic from anywhere
tcp dport ssh accept
# Accept ICMP and IGMP from anywhere
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
Note: Review the input base chain to ensure that it follows local site policy
Run the following command to verify the forward base chain:
# awk '/hook forward/,/}/' $(awk '$1 ~ /^s*include/ { gsub(""","",$2);print
$2 }' /etc/sysconfig/nftables.conf)
Output should be similar to:
# Base chain for hook forward named forward (Filters forwarded
network packets)
chain forward {
type filter hook forward priority 0; policy drop;
}
Note: Review the forward base chain to ensure that it follows local site policy
Run the following command to verify the output base chain:
# awk '/hook output/,/}/' $(awk '$1 ~ /^s*include/ { gsub(""","",$2);print
$2 }' /etc/sysconfig/nftables.conf)
Output should be similar to:
# Base chain for hook output named output (Filters outbound network
packets)
chain output {
type filter hook output priority 0; policy drop;
# Ensure outbound and established connections are configured
ip protocol tcp ct state established,related,new accept
ip protocol tcp ct state established,related,new accept
ip protocol udp ct state established,related,new accept
ip protocol icmp ct state established,related,new accept
}
Note: Review the output base chain to ensure that it follows local site policy.
Remediation:
Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include
for each nftables file you want included in the
nftables ruleset on boot
example:
# vi /etc/sysconfig/nftables.conf
Add the line:
include "/etc/nftables/nftables.rules
Parameter:
[yes/no]
Technical Mechanism:
Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include
Absolute path to nftables rules file for each nftables file you want included in the
nftables ruleset on boot
example:
# vi /etc/sysconfig/nftables.conf
Add the line:
include "/etc/nftables/nftables.rules
CCSS Severity: | CCSS Metrics: |
CCSS Score : 10.0 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 6.0 | Privileges Required: NONE |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73044 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72833 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72730 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:71990 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72356 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84230 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72939 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68644 |