SLE15 add implementation of nftables_rules_permanent rule

[teacup-on-rockingchair]

Description:

• Add SLE15 based implementation of nftables_rules_permanent rule

Rationale:

• Allocate CCE for the nftables_rules_permanent rule and add rule to the CIS profile
• _The nftables_rules_permanent rule is based on the CIS requirement 3.5.2.10
  There are some internal decisions made for the rule based on the facts that:
  • Requirement assumes the system firewall is managed explicitely by nftables package and relevant kernel modules, i.e. no firewalld, no iptables installed
  • SLE 15 nftables package comes with following number of configuration files:
    • /etc/nftables/arp-filter
    • /etc/nftables/bridge-filter
    • /etc/nftables/inet-filter
    • /etc/nftables/ipv4-filter
    • /etc/nftables/ipv4-mangle
    • /etc/nftables/ipv4-nat
    • /etc/nftables/ipv4-raw
    • /etc/nftables/ipv6-filter
    • /etc/nftables/ipv6-mangle
    • /etc/nftables/ipv6-nat
    • /etc/nftables/ipv6-raw
      , where bridge, arp and inet(ipv4+ipv6), should cover L2+L3 layers of the IP stack, which are mainly addressed in other nftables requirements

Review Hints:

The design of the OVAL checks and Ansible and Bash remediation was made in a way that the rule will check that there is top-level configuration file,
as described by the requirement /etc/sysconfig/nftables, which will include per protocol family configuration files that come with the native package.

The contents of the actual configuration as far as I understand the requirement should be left to the customer site policy.

The main idea of the rule as I tried to follow it was to make sure that there exists a configuration which to be applied on boot.

All of the changes made were SLE15 specific, since I based my logic on how the native nftables package for SUSE SLE15 looks like.

[openshift-ci]

Hi @teacup-on-rockingchair. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

sle15 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[jan-cerny]

LGTM

Thanks

[jan-cerny]

@ComplianceAsCode/suse-maintainers PTAL

[jan-cerny]

@marcusburghardt Can you take a look if it can be merged instead of SUSE?

[jan-cerny]

or also @Mab879

[marcusburghardt]

The rule is complete, but there are some opportunities to improve the readability.

[marcusburghardt]

Only a small detail is pending. The jinja2 variable declaration can be removed in Ansible now.

[marcusburghardt]

LGTM now. Thanks

[codeclimate]

Code Climate has analyzed commit 1467145 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4%.

View more on Code Climate.

[marcusburghardt]

Overriding CODEOWNERS since a SUSE approver is not currently available.