{"description": "Configure the loopback interface to accept traffic.\nConfigure all other interfaces to deny traffic to the loopback\nnetwork.", "rationale": "Loopback traffic is generated between processes on machine and is\ntypically critical to operation of the system. The loopback interface\nis the only place that loopback network traffic should be seen,\nall other interfaces should ignore traffic on this network as an\nanti-spoofing measure.", "severity": "medium", "references": {"pcidss": ["Req-1.4.1"], "cis": ["4.2.6"]}, "control_references": {"cis": ["4.2.6"]}, "components": [], "identifiers": {}, "ocil_clause": "nftables loopback traffic is not configured", "ocil": "Verify that the loopback interface is configured:\n<pre>\n# nft list ruleset | awk '/hook input/,/}/' | grep 'iif \"lo\" accept'\n</pre>\niif \"lo\" accept\nIf IPv6 is enabled, verify that the IPv6 loopback interface is configured:\n<pre>\n# nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'\n</pre>\nip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Changing firewall settings while connected over network can\nresult in being locked out of the system.\nKeep in mind the remediation makes changes only to the running\nsystem, in order to keep the changes need to take care to save\nthe nft settings to the relvant configutation files."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[nftables] and service_disabled[firewalld]", "platforms": ["package[nftables] and service_disabled[firewalld]"], "sce_metadata": {"platform": ["multi_platform_ubuntu"], "check-import": "stdout", "environment": "any", "filename": "set_nftables_loopback_traffic.sh", "relative_path": "ubuntu2204/checks/sce/set_nftables_loopback_traffic.sh"}, "inherited_platforms": [], "cpe_platform_names": ["package_nftables_and_service_disabled_firewalld"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Set nftables Configuration for Loopback Traffic", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml", "template": null}