Better description and test scenarios for set_nftables_table

[marcusburghardt]

Description:

This PR makes some improvements in set_nftables_table:

• Adopt variables also in rule description
• Include warning about check and remediation only in run-time
• Make Bash remediation more precise
• Include test scenarios

This rule is not widely used specially because the static configuration can be done in many different ways.
This is the reason there is only SCE checking run-time settings, similarly to the remediation.

Rationale:

Better description and more precise remediation.

Review Hints:

The changes are more about information and new test scenarios. The general behavior is preserved.
Automatus CI tests in containers are expected to fail.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_nftables_table'.
--- xccdf_org.ssgproject.content_rule_set_nftables_table
+++ xccdf_org.ssgproject.content_rule_set_nftables_table
@@ -6,13 +6,34 @@
 Tables in nftables hold chains. Each table only has one address family and only applies
 to packets of this family. Tables can have one of six families.
 
+Red Hat Enterprise Linux 8 uses firewalld for firewall management. When nftables is
+the firewall backend used by firewalld, an 'xccdf_org.ssgproject.content_value_var_nftables_family'
+family table called 'xccdf_org.ssgproject.content_value_var_nftables_table' is used.
+
+To verify that the nftables table used by firewalld exists, run the following
+command:
+$ sudo nft list tables
+table 'xccdf_org.ssgproject.content_value_var_nftables_family'
+         'xccdf_org.ssgproject.content_value_var_nftables_table'
+        
+This table is automatically created by firewalld when it is started.
+
 [warning]:
-Adding rules to a running nftables can cause loss of connectivity to the system.
+Adding or editing rules in a running nftables can cause loss of connectivity to the system.
+
+[warning]:
+Both the SCE check and remediation for this rule only consider runtime settings.
+There is no specific file to check as it depends on each site's policy. Therefore, check
+and remediation use the nft command directly. The fix is not persistent across system
+reboots.
+
+[warning]:
+SCE check does not support variables, therefore the SCE check in this rule only checks the
+address family, regardless of the table name.
 
 [rationale]:
-Nftables doesn't have any default tables. Without a table being built, nftables will not filter
-network traffic.
-Note: adding rules to a running nftables can cause loss of connectivity to the system.
+Nftables doesn't have any default tables. Without a table being built, nftables will not
+filter network traffic.
 
 [ident]:
 CCE-86162-5

OCIL for rule 'xccdf_org.ssgproject.content_rule_set_nftables_table' differs.
--- ocil:ssg-set_nftables_table_ocil:questionnaire:1
+++ ocil:ssg-set_nftables_table_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ sudo nft list tables
 Output should include a list of nftables similar to:
 
-  table inet filter
+  table  
 
       Is it the case that a nftables table does not exist?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_nftables_table' differs.
--- xccdf_org.ssgproject.content_rule_set_nftables_table
+++ xccdf_org.ssgproject.content_rule_set_nftables_table
@@ -1,17 +1,12 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q nftables; then
 
-#Set nftables family name
 var_nftables_family=''
 
-
-#Set nftables table name
 var_nftables_table=''
 
 
-IS_TABLE=$(nft list tables)
-if [ -z "$IS_TABLE" ]
-then
+if ! nft list table $var_nftables_family $var_nftables_table; then
   nft create table "$var_nftables_family" "$var_nftables_table"
 fi
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_nftables_table' differs.
--- xccdf_org.ssgproject.content_rule_set_nftables_table
+++ xccdf_org.ssgproject.content_rule_set_nftables_table
@@ -21,8 +21,11 @@
     - always
 
 - name: Collect Existing Nftables
-  ansible.builtin.command: nft list tables
-  register: existing_nftables
+  ansible.builtin.command: nft list table {{ var_nftables_family }} {{ var_nftables_table
+    }}
+  register: result_nftables_table_family
+  changed_when: false
+  failed_when: result_nftables_table_family.rc not in [0, 1]
   when: '"nftables" in ansible_facts.packages'
   tags:
   - CCE-86162-5
@@ -38,8 +41,8 @@
     }}
   when:
   - '"nftables" in ansible_facts.packages'
-  - existing_nftables is not skipped
-  - existing_nftables.stdout_lines | length == 0
+  - result_nftables_table_family is not skipped
+  - result_nftables_table_family.rc != 0
   tags:
   - CCE-86162-5
   - low_complexity

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11991
This image was built from commit: c79fac7

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11991

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11991 make deploy-local

[codeclimate]

Code Climate has analyzed commit c79fac7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[jan-cerny]

jcerny@fedora:~/work/git/scap-security-guide (pr/11991)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 set_nftables_table
Setting console output to log level INFO
INFO - The data stream contains 3 Benchmarks
INFO - 0 - scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
INFO - 1 - scap_org.open-scap_cref_rhel9-checks-sce-set_nftables_table.sh
INFO - 2 - scap_org.open-scap_cref_rhel9-checks-sce-ssh_keys_passphrase_protected.sh
INFO - Selected Benchmark is 0
INFO - To select a different Benchmark, use --xccdf-id-number option.
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-05-16-1059/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_set_nftables_table
INFO - Script nftables_incorrect_family.fail.sh using profile (all) OK
INFO - Script nftables_no_tables.fail.sh using profile (all) OK
INFO - Script nftables_table_present.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11991)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible set_nftables_table
Setting console output to log level INFO
INFO - The data stream contains 3 Benchmarks
INFO - 0 - scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
INFO - 1 - scap_org.open-scap_cref_rhel9-checks-sce-set_nftables_table.sh
INFO - 2 - scap_org.open-scap_cref_rhel9-checks-sce-ssh_keys_passphrase_protected.sh
INFO - Selected Benchmark is 0
INFO - To select a different Benchmark, use --xccdf-id-number option.
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-05-16-1103/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_set_nftables_table
INFO - Script nftables_incorrect_family.fail.sh using profile (all) OK
INFO - Script nftables_no_tables.fail.sh using profile (all) OK
INFO - Script nftables_table_present.pass.sh using profile (all) OK