{"description": "Base chain policy is the default verdict that will be applied to packets reaching the end of\nthe chain. There are two policies: accept (Default) and drop. If the policy is set to accept,\nthe firewall will accept any packet that is not configured to be denied and the packet will\ncontinue traversing the network stack.\n\nRun the following commands and verify that base chains contain a policy of DROP.\n<pre>\n$ nft list ruleset | grep 'hook input'\ntype filter hook input priority 0; policy drop;\n$ nft list ruleset | grep 'hook forward'\ntype filter hook forward priority 0; policy drop;\n$ nft list ruleset | grep 'hook output'\ntype filter hook output priority 0; policy drop;\n</pre>", "rationale": "It is easier to allow acceptable usage than to block unacceptable usage.\n", "severity": "medium", "references": {"cis": ["4.2.8"], "pcidss4": ["1.3.1", "1.3"]}, "control_references": {"cis": ["4.2.8"], "pcidss4": ["1.3.1", "1.3"]}, "components": [], "identifiers": {}, "ocil_clause": "default policy is not set for nftables rules", "ocil": "Run the following commands and verify that base chains policy is <tt>drop</tt>:\n<pre>$ sudo nft list ruleset | grep 'hook input' </pre>\nOutput should include a list of nftables similar to:\n<tt>type filter hook input priority 0; policy drop; </tt>\nSame goes not only for <tt>hook input</tt>, but also <tt>output</tt> and <tt>forward</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Changing firewall settings while connected over network can result in being locked out\nof the system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[nftables] and service_disabled[firewalld] and service_disabled[ufw]", "platforms": ["package[nftables] and service_disabled[firewalld] and service_disabled[ufw]"], "sce_metadata": {"platform": ["multi_platform_ubuntu"], "check-import": "stdout", "environment": "any", "filename": "nftables_ensure_default_deny_policy.sh", "relative_path": "ubuntu2204/checks/sce/nftables_ensure_default_deny_policy.sh"}, "inherited_platforms": [], "cpe_platform_names": ["package_nftables_and_service_disabled_firewalld_and_service_disabled_ufw"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure nftables Default Deny Firewall Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml", "template": null}