From 047bcd7ed2cc4df9f018bcb2222c4ef2ec5fd54b Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Fri, 5 Jun 2026 21:05:12 +0100 Subject: [PATCH 1/2] Add UFW default policy rules with OVAL checks (CIS 3.3.x) Add three new rules for UFW firewall default policies: - ufw_default_incoming_rule: ensure DEFAULT_INPUT_POLICY is DROP or REJECT in /etc/default/ufw - ufw_default_outgoing_rule: ensure DEFAULT_OUTPUT_POLICY is DROP or REJECT in /etc/default/ufw - ufw_disabled_routed: ensure DEFAULT_FORWARD_POLICY is DROP or REJECT in /etc/default/ufw All three rules use OVAL checks that read /etc/default/ufw directly, avoiding the SCE approach which fails silently when /tmp is mounted noexec (required by CIS 1.1.2.4). Map the new rules to the ufw component. Co-Authored-By: Claude Sonnet 4.6 --- components/ufw.yml | 3 ++ .../ufw_default_incoming_rule/bash/shared.sh | 3 ++ .../ufw_default_incoming_rule/oval/shared.xml | 21 ++++++++++++ .../ufw_default_incoming_rule/rule.yml | 33 +++++++++++++++++++ .../ufw_default_outgoing_rule/bash/shared.sh | 3 ++ .../ufw_default_outgoing_rule/oval/shared.xml | 21 ++++++++++++ .../ufw_default_outgoing_rule/rule.yml | 33 +++++++++++++++++++ .../ufw_disabled_routed/bash/shared.sh | 3 ++ .../ufw_disabled_routed/oval/shared.xml | 21 ++++++++++++ .../network-ufw/ufw_disabled_routed/rule.yml | 31 +++++++++++++++++ 10 files changed, 172 insertions(+) create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml create mode 100644 linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml create mode 100644 linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml diff --git a/components/ufw.yml b/components/ufw.yml index 3ceaeeed9064..b79ffaafd565 100644 --- a/components/ufw.yml +++ b/components/ufw.yml @@ -10,6 +10,9 @@ rules: - service_ufw_enabled - set_ufw_default_rule - set_ufw_loopback_traffic +- ufw_default_incoming_rule +- ufw_default_outgoing_rule +- ufw_disabled_routed - ufw_only_required_services - ufw_rate_limit - ufw_rules_for_open_ports diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh new file mode 100644 index 000000000000..02030a017bf6 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_ubuntu,multi_platform_debian + +ufw default deny incoming diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml new file mode 100644 index 000000000000..0de9a6969b80 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("Ensure ufw default incoming policy is deny or reject", rule_title=rule_title) }}} + + + + + + + + + + + /etc/default/ufw + ^DEFAULT_INPUT_POLICY="(DROP|REJECT)"$ + 1 + + diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml new file mode 100644 index 000000000000..96ed807d3b6d --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +title: 'Ensure ufw Default Deny Policy for Incoming Connections' + +description: |- + A default deny policy on incoming connections ensures that any unconfigured + inbound network traffic will be rejected. + + Note: Any port or protocol without an explicit allow before the default + deny will be blocked. + +rationale: |- + With a default accept policy the firewall will accept any incoming packet + that is not configured to be denied. It is easier to allow acceptable + usage than to block unacceptable usage. + +severity: medium + +platform: package[ufw] + +ocil_clause: 'the default policy for incoming connections is not set to deny or reject' + +ocil: |- + Run the following command and verify that the default policy for incoming + connections is deny or reject: + 
# ufw status verbose | grep Default:
+ Example output: + 
Default: deny (incoming), ...
+ +warnings: + - general: |- + Changing firewall settings while connected over network can + result in being locked out of the system. diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh new file mode 100644 index 000000000000..7e8b8edb4ff9 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_ubuntu,multi_platform_debian + +ufw default deny outgoing diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml new file mode 100644 index 000000000000..c1364e3e8fb3 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("Ensure ufw default outgoing policy is deny or reject", rule_title=rule_title) }}} + + + + + + + + + + + /etc/default/ufw + ^DEFAULT_OUTPUT_POLICY="(DROP|REJECT)"$ + 1 + + diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml new file mode 100644 index 000000000000..73b8e90eb183 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +title: 'Ensure ufw Default Deny Policy for Outgoing Connections' + +description: |- + A default deny policy on outgoing connections ensures that only explicitly + allowed outbound network traffic will be permitted. + + Note: Any port or protocol without an explicit allow before the default + deny will be blocked. + +rationale: |- + With a default accept policy the firewall will allow any outgoing packet + that is not configured to be denied. Restricting outgoing traffic reduces + the risk of data exfiltration and limits the impact of a compromised host. + +severity: medium + +platform: package[ufw] + +ocil_clause: 'the default policy for outgoing connections is not set to deny or reject' + +ocil: |- + Run the following command and verify that the default policy for outgoing + connections is deny or reject: + 
# ufw status verbose | grep Default:
+ Example output: + 
Default: ..., deny (outgoing), ...
+ +warnings: + - general: |- + Changing firewall settings while connected over network can + result in being locked out of the system. diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh new file mode 100644 index 000000000000..17330f3df230 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_ubuntu,multi_platform_debian + +ufw default deny routed diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml new file mode 100644 index 000000000000..865a40672089 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("Ensure ufw default routed policy is disabled or deny", rule_title=rule_title) }}} + + + + + + + + + + + /etc/default/ufw + ^DEFAULT_FORWARD_POLICY="(DROP|REJECT)"$ + 1 + + diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml new file mode 100644 index 000000000000..64b47612ec1e --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +title: 'Ensure ufw Default Policy for Routed (Forwarded) Traffic is Disabled' + +description: |- + The default policy for routed (forwarded) traffic in ufw should be set to + disabled or deny, ensuring that the system does not forward packets between + interfaces unless explicitly configured to do so. + +rationale: |- + Unless the system is intended to act as a router, forwarding traffic between + network interfaces should be disabled. Disabling the routed default policy + prevents the system from accidentally or maliciously forwarding traffic. + +severity: medium + +platform: package[ufw] + +ocil_clause: 'the default policy for routed traffic is not set to disabled or deny' + +ocil: |- + Run the following command and verify that the default policy for routed + traffic is disabled or deny: + 
# ufw status verbose | grep Default:
+ Example output: + 
Default: ..., disabled (routed)
+ +warnings: + - general: |- + Changing firewall settings while connected over network can + result in being locked out of the system. From bf1260dd4e32f8b998d9f12468fc1695f6d64b6d Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Mon, 8 Jun 2026 18:42:29 +0100 Subject: [PATCH 2/2] Address review comments on UFW default policy rules - Mention the exact setting in the description of both rules: explain that DEFAULT_INPUT_POLICY / DEFAULT_OUTPUT_POLICY in /etc/default/ufw must be set to DROP or REJECT - Add test scenarios for ufw_default_incoming_rule: deny.pass, reject.pass, allow.fail - Add test scenarios for ufw_default_outgoing_rule: deny.pass, reject.pass, allow.fail Co-Authored-By: Claude Sonnet 4.6 --- .../network/network-ufw/ufw_default_incoming_rule/rule.yml | 2 ++ .../ufw_default_incoming_rule/tests/allow.fail.sh | 6 ++++++ .../ufw_default_incoming_rule/tests/deny.pass.sh | 6 ++++++ .../ufw_default_incoming_rule/tests/reject.pass.sh | 6 ++++++ .../network/network-ufw/ufw_default_outgoing_rule/rule.yml | 2 ++ .../ufw_default_outgoing_rule/tests/allow.fail.sh | 6 ++++++ .../ufw_default_outgoing_rule/tests/deny.pass.sh | 6 ++++++ .../ufw_default_outgoing_rule/tests/reject.pass.sh | 6 ++++++ 8 files changed, 40 insertions(+) create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh create mode 100644 linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml index 96ed807d3b6d..8c325df91d9d 100644 --- a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml @@ -5,6 +5,8 @@ title: 'Ensure ufw Default Deny Policy for Incoming Connections' description: |- A default deny policy on incoming connections ensures that any unconfigured inbound network traffic will be rejected. + Set DEFAULT_INPUT_POLICY to DROP or REJECT + in /etc/default/ufw. Note: Any port or protocol without an explicit allow before the default deny will be blocked. diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh new file mode 100644 index 000000000000..22b41f3fbd6c --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = ufw + +ufw allow ssh +ufw default allow incoming +ufw -f enable diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh new file mode 100644 index 000000000000..7f50e33bad11 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = ufw + +ufw allow ssh +ufw default deny incoming +ufw -f enable diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh new file mode 100644 index 000000000000..37a33f07300e --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = ufw + +ufw allow ssh +ufw default reject incoming +ufw -f enable diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml index 73b8e90eb183..ae18072657b3 100644 --- a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml @@ -5,6 +5,8 @@ title: 'Ensure ufw Default Deny Policy for Outgoing Connections' description: |- A default deny policy on outgoing connections ensures that only explicitly allowed outbound network traffic will be permitted. + Set DEFAULT_OUTPUT_POLICY to DROP or REJECT + in /etc/default/ufw. Note: Any port or protocol without an explicit allow before the default deny will be blocked. diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh new file mode 100644 index 000000000000..2044da9f0199 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = ufw + +ufw allow ssh +ufw default allow outgoing +ufw -f enable diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh new file mode 100644 index 000000000000..ea3bf04041cb --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = ufw + +ufw allow ssh +ufw default deny outgoing +ufw -f enable diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh new file mode 100644 index 000000000000..c4deef415348 --- /dev/null +++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = ufw + +ufw allow ssh +ufw default reject outgoing +ufw -f enable