search

ansible-lockdown / UBUNTU22-CIS

Ansible role for Ubuntu22 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
155 stars 68 forks source link

3.5.1.x UFW not disabling nftables #143

Closed zac90 closed 8 months ago

zac90 commented 8 months ago

Describe the Issue If ufw is enabled, both iptables and nftables should be removed. At the moment only iptables-persistent is removed. Ensure nftables is also purged as some files persist with a normal remove.

Expected Behavior Remove nftables as well

Actual Behavior nftables remains with ufw active and may cause unexpected results.

Control(s) Affected 3.5.1.x and 3.5.3.1.2

Additional Notes The CIS Hardening guide does not specifically state to do this in the ufw section however at the start of the firewall overview it contains the following "Only one method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results"

Possible Solution Add the following to remove nftables when ufw is in use. Similar to control 3.5.3.1.2, except both that control and this one should use the apt module with purge: true

- name: "Ensure nftables is uninstalled when using ufw"
  apt:
      name: nftables
      purge: true     
      state: absent
uk-bolly commented 8 months ago

hi @zac90

Thanks for this issue, i have added the purge handler to 3.5.3.1.2 for iptables. For UFW, i believe UFW is a front for a nftables or iptables backend. So removing both would cause an issue. This maybe why the CIS documentation doesn't state to remove nftables but only iptable persist.

thanks

uk-bolly

zac90 commented 8 months ago

hi uk-bolly, UFW works as a front end to iptables. It does not require nftables. As long as the underlying iptables is installed, which is embedded into the kernel and not removed with iptables-persistent as far as I know it'll work fine. I did a quick check as well by removing both nftables and iptables-persistent and ufw blocked ports fine.

uk-bolly commented 8 months ago

hi @zac90

Thanks again for the feedback, Looking at and speaking to others it seems unclear. Documentation seems to state the default backend now for ufw is nftables https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-22-04-lts (which is why maybe CIS have not added the removal of nftables?). Checking a fresh system it appears when i looks at iptables command it points to the following

readlink -f /usr/sbin/iptables 
/usr/sbin/xtables-nft-multi

This appears that iptables commands are indeed using nftables? When i look at the manpage

NAME xtables-nft — iptables using nftables kernel api

reading through and running the iptables command

iptables -V
iptables v1.8.7 (nf_tables)

But when you look to remove nftables or ufw they don't show any dependancies. Whereas trying to remove iptables this tries to remove ufw.

The man page appears to explain this. When looking at the actual iptables package this does have all of the xtables configuration and appears that iptables is now a wrapper for nftables?

It appears to work as expected without removing nftables as well. But I also agree with not having packages installed for the sake of it which is also part of a good baseline. For now i believe we should leave it as per the CIS recommendation and benchmark has it listed as it does still seem unclear on the actual state of best practise from any documentation that i have found from Ubuntu or CIS.

Thanks as always

uk-bolly

zac90 commented 8 months ago

No worries. Thanks for the comprehensive write up. Perhaps it continued to work for me because it was just doing basic rules that iptables supports whereas maybe more complex rules require the nftables. Who knows.