Add UFW default policy rules with OVAL checks (CIS 3.3.x)#14767
Open
israel-villar wants to merge 1 commit into
Open
Add UFW default policy rules with OVAL checks (CIS 3.3.x)#14767israel-villar wants to merge 1 commit into
israel-villar wants to merge 1 commit into
Conversation
Add three new rules for UFW firewall default policies: - ufw_default_incoming_rule: ensure DEFAULT_INPUT_POLICY is DROP or REJECT in /etc/default/ufw - ufw_default_outgoing_rule: ensure DEFAULT_OUTPUT_POLICY is DROP or REJECT in /etc/default/ufw - ufw_disabled_routed: ensure DEFAULT_FORWARD_POLICY is DROP or REJECT in /etc/default/ufw All three rules use OVAL checks that read /etc/default/ufw directly, avoiding the SCE approach which fails silently when /tmp is mounted noexec (required by CIS 1.1.2.4). Map the new rules to the ufw component. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Hi @israel-villar. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add three new rules for UFW firewall default policies:
All three rules use OVAL checks that read /etc/default/ufw directly, avoiding the SCE approach which fails silently when /tmp is mounted noexec (required by CIS 1.1.2.4). Map the new rules to the ufw component.
Description:
ufw_default_incoming_rule: ensureDEFAULT_INPUT_POLICYisDROPor
REJECTin/etc/default/ufwufw_default_outgoing_rule: ensureDEFAULT_OUTPUT_POLICYisDROPor
REJECTin/etc/default/ufwufw_disabled_routed: ensureDEFAULT_FORWARD_POLICYisDROPorREJECTin/etc/default/ufw/etc/default/ufwdirectly.ufwcomponent.Rationale:
ensures only explicitly allowed traffic is permitted, reducing the
attack surface.
/tmpis mountednoexec(required byCIS 1.1.2.4). The OVAL approach reads the UFW configuration file
directly and is not affected by mount options.
Review Hints:
linux_os/guide/system/network/network-ufw/.ufw_default_outgoing_rulewas created directly with OVAL (no SCE),consistent with the OVAL checks added for
check_ufw_active,ufw_default_incoming_ruleandufw_disabled_routed../build_product debian13 --datastream-only./build_product ubuntu2404 --datastream-only