Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue on check on firewall rules (Ubuntu 22-04 + UFW) #11907

Open
marcofortina opened this issue Apr 26, 2024 · 5 comments
Open

Issue on check on firewall rules (Ubuntu 22-04 + UFW) #11907

marcofortina opened this issue Apr 26, 2024 · 5 comments
Labels
Ubuntu Ubuntu product related.

Comments

@marcofortina
Copy link
Contributor

Description of problem:

CIS Ubuntu Linux 22.04 LTS Benchmark offers the option to use any of ufw, nftables or iptables, but if you choose to use ufw as your system firewall, all checks give incorrect results.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

  1. Apply CIS Ubuntu 22.04 Level 2 Server Benchmark choosing UFW as firewall
  2. Execute oscap: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server ssg-ubuntu2204-ds.xml

Actual Results:

Title   Install nftables Package
Rule    xccdf_org.ssgproject.content_rule_package_nftables_installed
Result  pass

Title   Verify nftables Service is Enabled
Rule    xccdf_org.ssgproject.content_rule_service_nftables_enabled
Result  fail

Title   Ensure nftables Default Deny Firewall Policy
Rule    xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy
Result  notchecked

Title   Ensure nftables Rules are Permanent
Rule    xccdf_org.ssgproject.content_rule_nftables_rules_permanent
Result  fail

Title   Ensure Base Chains Exist for Nftables
Rule    xccdf_org.ssgproject.content_rule_set_nftables_base_chain
Result  notchecked

Title   Set nftables Configuration for Loopback Traffic
Rule    xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic
Result  notchecked

Title   Ensure a Table Exists for Nftables
Rule    xccdf_org.ssgproject.content_rule_set_nftables_table
Result  notchecked

Title   Remove ufw Package
Rule    xccdf_org.ssgproject.content_rule_package_ufw_removed
Result  fail

Title   Verify ufw Enabled
Rule    xccdf_org.ssgproject.content_rule_service_ufw_enabled
Result  pass

Title   Ensure ufw Default Deny Firewall Policy
Rule    xccdf_org.ssgproject.content_rule_set_ufw_default_rule
Result  notchecked

Title   Set UFW Loopback Traffic
Rule    xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic
Result  notchecked

Title   Ensure ufw Firewall Rules Exist for All Open Ports
Rule    xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports
Result  notchecked

Expected Results:

Title   Install nftables Package
Rule    xccdf_org.ssgproject.content_rule_package_nftables_installed
Result  notchecked

Title   Verify nftables Service is Enabled
Rule    xccdf_org.ssgproject.content_rule_service_nftables_enabled
Result  notchecked

Title   Ensure nftables Default Deny Firewall Policy
Rule    xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy
Result  notchecked

Title   Ensure nftables Rules are Permanent
Rule    xccdf_org.ssgproject.content_rule_nftables_rules_permanent
Result  notchecked

Title   Ensure Base Chains Exist for Nftables
Rule    xccdf_org.ssgproject.content_rule_set_nftables_base_chain
Result  notchecked

Title   Set nftables Configuration for Loopback Traffic
Rule    xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic
Result  notchecked

Title   Ensure a Table Exists for Nftables
Rule    xccdf_org.ssgproject.content_rule_set_nftables_table
Result  notchecked

Title   Remove ufw Package
Rule    xccdf_org.ssgproject.content_rule_package_ufw_removed
Result  notchecked

Title   Verify ufw Enabled
Rule    xccdf_org.ssgproject.content_rule_service_ufw_enabled
Result  pass

Title   Ensure ufw Default Deny Firewall Policy
Rule    xccdf_org.ssgproject.content_rule_set_ufw_default_rule
Result  pass

Title   Set UFW Loopback Traffic
Rule    xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic
Result  pass

Title   Ensure ufw Firewall Rules Exist for All Open Ports
Rule    xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports
Result  pass

Additional Information/Debugging Steps:

PR #10812 Fixed checks on rhel-like using firewalld, but not on debian-like using Uncomplicated Firewall.
@dodys dodys added the Ubuntu Ubuntu product related. label Apr 29, 2024
@dodys
Copy link
Contributor

dodys commented Apr 29, 2024

for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.

@marcofortina
Copy link
Contributor Author

for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.

Hello! Could you please explain as to use a tailoring file?

Thanks

@dodys
Copy link
Contributor

dodys commented Apr 30, 2024

for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.

Hello! Could you please explain as to use a tailoring file?

Thanks

you can either use scap-workbench or use autotailor
for more information see: https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#61-creating-tailoring-files

@marcofortina
Copy link
Contributor Author

for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.

Hello! Could you please explain as to use a tailoring file?
Thanks

you can either use scap-workbench or use autotailor for more information see: https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#61-creating-tailoring-files

Could you please guide me to do this writing a step-by-step procedure for dummies?

Thanks

@dodys
Copy link
Contributor

dodys commented May 6, 2024
edited

for firewall rules you will need to use a tailoring file to select the firewall you want. By default the profile is enabled for nftables only.

Hello! Could you please explain as to use a tailoring file?
Thanks

you can either use scap-workbench or use autotailor for more information see: https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#61-creating-tailoring-files

Could you please guide me to do this writing a step-by-step procedure for dummies?

Thanks

You will need to install openscap-utils in a newer release of ubuntu for that as the tool is only packaged in openscap 1.3.

Then you can:

$ autotailor --select package_ufw_installed --select service_nftables_disabled --select package_nftables_removed --unselect package_nftables_installed --unselect package_ufw_removed --output csl2.xml -p  xccdf_org.ssgproject.content_profile_cis_level2_server_customized ssg-ubuntu2204-ds.xml xccdf_org.ssgproject.content_profile_cis_level2_server

That generates a csl2.xml file that you can use with oscap.

With that you can follow
https://github.com/OpenSCAP/openscap/blob/main/docs/manual/manual.adoc#using-tailoring-files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ubuntu Ubuntu product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dodys @marcofortina