SLE15 add nftables ensure default deny policy

controls/cis_sle15.yml

@@ -1122,7 +1122,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: manual # rule is missing
+    status: automated
+    rules:
+      - var_nftable_master_config_file=sysconfig
+      - nftables_ensure_default_deny_policy
 
   - id: 3.5.2.9
     title: Ensure nftables service is enabled (Automated)

linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml

@@ -0,0 +1,70 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Make sure that there is permanent nftables configuration is configured
+    with default chains policy drop") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_{{{ rule_id }}}_file"
+                 comment="Check the existence of top level nftables configuration file" />
+      <criterion test_ref="test_{{{ rule_id }}}_include_chains_policy"
+                 comment="Check the contents of configuration files for default chains policy"/>
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_file"
+  comment="Check top level configuration file is named as expected"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_file" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_file" version="1">
+    <ind:filepath operation="equals" var_ref="var_nftable_master_config_file"/>
+    <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <external_variable comment="file path" datatype="string"
+                     id="var_nftable_master_config_file" version="1"/>
+  <local_variable id="var_{{{ rule_id }}}_families_config_paths" datatype="string" version="1"
+                  comment="File paths of all needed families part of the permanent configuration">
+    <unique>
+      <glob_to_regex>
+        <object_component item_field="subexpression" object_ref="object_{{{ rule_id }}}_file" />
+      </glob_to_regex>
+    </unique>
+  </local_variable>
+
+
+    <local_variable id="var_{{{ rule_id }}}_include_chains_configurations" datatype="string" version="1"
+                  comment="Chain configuration statements">
+    <unique>
+      <glob_to_regex>
+        <object_component item_field="subexpression" object_ref="object_{{{ rule_id }}}_include_chains_policy" />
+      </glob_to_regex>
+    </unique>
+  </local_variable>
+
+  <ind:variable_object id="object_var_{{{ rule_id }}}_include_chains_configurations" version="1">
+    <ind:var_ref>var_{{{ rule_id }}}_include_chains_configurations</ind:var_ref>
+  </ind:variable_object>
+
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_include_chains_policy" version="1">
+    <ind:filepath operation="pattern match" var_check="at least one"
+                  var_ref="var_{{{ rule_id }}}_families_config_paths"/>
+    <ind:pattern operation="pattern match"
+                 >\s*chain\s*\w*\s*\{([^\}]*)\}</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:variable_state id="state_{{{ rule_id }}}_include_chains_policy"
+                               comment="policy should be drop" version="1">
+   <ind:value datatype="string" operation="pattern match">\;\s*policy drop\s*\;</ind:value>
+  </ind:variable_state>
+
+
+  <ind:variable_test id="test_{{{ rule_id }}}_include_chains_policy" check="all"
+                              check_existence="all_exist" version="1"
+                              comment="Check configuration files for default chains policy">
+    <ind:object object_ref="object_var_{{{ rule_id }}}_include_chains_configurations" />
+    <ind:state state_ref="state_{{{ rule_id }}}_include_chains_policy" />
+
+  </ind:variable_test>
+
+</def-group>

linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml

@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Ensure nftables default deny firewall policy'
+
+description: |-
+   Base chain policy is the default verdict that will be applied to packets reaching the end of
+   the chain.
+
+rationale: |-
+    There are two policies: accept (Default) and drop. If the policy is set to accept, the
+    firewall will accept any packet that is not configured to be denied and the packet will
+    continue traversing the network stack. It is easier to allow acceptable usage than to block
+    unacceptable usage.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-92507-3
+
+references:
+    cis@sle15: 3.5.2.8
+
+ocil_clause: 'default policy is not set for nftables rules'
+
+warnings:
+   - general: |-
+       Changing firewall settings while connected over network can result in being locked out
+       of the system.
+
+ocil: |-
+    Run the following commands and verify that base chains contain a policy of DROP:
+    <pre>$ sudo nft list ruleset | grep 'hook input' </pre>
+    Output should include a list of nftables similar to:
+    <tt>type filter hook input priority 0; policy drop; </tt>
+    Same goes not only for <tt>hook input</tt>, but also <tt>output</tt> and <tt>forward</tt>

shared/references/cce-sle15-avail.txt

@@ -17,7 +17,6 @@ CCE-92501-6
 CCE-92503-2
 CCE-92505-7
 CCE-92506-5
-CCE-92507-3
 CCE-92508-1
 CCE-92509-9
 CCE-92510-7