Add UFW default policy rules with OVAL checks (CIS 3.3.x)#14767
Add UFW default policy rules with OVAL checks (CIS 3.3.x)#14767israel-villar wants to merge 2 commits into
Conversation
Add three new rules for UFW firewall default policies: - ufw_default_incoming_rule: ensure DEFAULT_INPUT_POLICY is DROP or REJECT in /etc/default/ufw - ufw_default_outgoing_rule: ensure DEFAULT_OUTPUT_POLICY is DROP or REJECT in /etc/default/ufw - ufw_disabled_routed: ensure DEFAULT_FORWARD_POLICY is DROP or REJECT in /etc/default/ufw All three rules use OVAL checks that read /etc/default/ufw directly, avoiding the SCE approach which fails silently when /tmp is mounted noexec (required by CIS 1.1.2.4). Map the new rules to the ufw component. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Hi @israel-villar. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| description: |- | ||
| A default deny policy on outgoing connections ensures that only explicitly | ||
| allowed outbound network traffic will be permitted. | ||
|
|
There was a problem hiding this comment.
It would be great to describe here the exact setting that is supposed to be configured, ie. explain in the text that we want DEFAULT_OUTPUT_POLICY in /etc/default/ufw to be set to DROP or REJECT.
There was a problem hiding this comment.
Sure. Updated both ufw_default_incoming_rule and ufw_default_outgoing_rule to explicitly state that DEFAULT_INPUT_POLICY / DEFAULT_OUTPUT_POLICY in /etc/default/ufw must be set to DROP or REJECT
| @@ -0,0 +1,33 @@ | |||
| documentation_complete: true | |||
There was a problem hiding this comment.
Please add test scenarios for both rules.
There was a problem hiding this comment.
Added deny.pass.sh, reject.pass.sh, and allow.fail.sh for both rules.
- Mention the exact setting in the description of both rules: explain that DEFAULT_INPUT_POLICY / DEFAULT_OUTPUT_POLICY in /etc/default/ufw must be set to DROP or REJECT - Add test scenarios for ufw_default_incoming_rule: deny.pass, reject.pass, allow.fail - Add test scenarios for ufw_default_outgoing_rule: deny.pass, reject.pass, allow.fail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
israel-villar
requested review from
Mab879,
matusmarhefka and
vojtapolasek
as code owners
2 participants
Add three new rules for UFW firewall default policies:
All three rules use OVAL checks that read /etc/default/ufw directly, avoiding the SCE approach which fails silently when /tmp is mounted noexec (required by CIS 1.1.2.4). Map the new rules to the ufw component.
Description:
ufw_default_incoming_rule: ensureDEFAULT_INPUT_POLICYisDROPor
REJECTin/etc/default/ufwufw_default_outgoing_rule: ensureDEFAULT_OUTPUT_POLICYisDROPor
REJECTin/etc/default/ufwufw_disabled_routed: ensureDEFAULT_FORWARD_POLICYisDROPorREJECTin/etc/default/ufw/etc/default/ufwdirectly.ufwcomponent.Rationale:
ensures only explicitly allowed traffic is permitted, reducing the
attack surface.
/tmpis mountednoexec(required byCIS 1.1.2.4). The OVAL approach reads the UFW configuration file
directly and is not affected by mount options.
Review Hints:
linux_os/guide/system/network/network-ufw/.ufw_default_outgoing_rulewas created directly with OVAL (no SCE),consistent with the OVAL checks added for
check_ufw_active,ufw_default_incoming_ruleandufw_disabled_routed../build_product debian13 --datastream-only./build_product ubuntu2404 --datastream-only