{"description": "Tables in nftables hold chains. Each table only has one address family and only applies\nto packets of this family. Tables can have one of six families.\nChains are containers for rules. They exist in two kinds, base chains and regular chains.\nA base chain is an entry point for packets from the networking stack, a regular chain may\nbe used as jump target and is used for better rule organization.", "rationale": "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would\nflow through those chains will not be touched by nftables.", "severity": "medium", "references": {"cis": ["4.2.5"]}, "control_references": {"cis": ["4.2.5"]}, "components": [], "identifiers": {}, "ocil_clause": "base chains do not exist for nftables", "ocil": "To verify that base chains exist for INPUT, FORWARD, and OUTPUT, run the following commands:\n<pre>$ sudo nft list ruleset | grep 'hook input'</pre>\n<pre>$ sudo nft list ruleset | grep 'hook forward'</pre>\n<pre>$ sudo nft list ruleset | grep 'hook output'</pre>\nOutput should be similar to:\n<tt>\n  type filter hook input priority 0;\n  type filter hook forward priority 0;\n  type filter hook output priority 0;\n</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Configuring rules over ssh, by creating a base chain with policy drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base cahin's policy to drop"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[nftables]", "platforms": ["package[nftables]"], "sce_metadata": {"platform": ["multi_platform_all"], "check-import": "stdout", "environment": "any", "filename": "set_nftables_base_chain.sh", "relative_path": "ubuntu2204/checks/sce/set_nftables_base_chain.sh"}, "inherited_platforms": [], "cpe_platform_names": ["package_nftables"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure Base Chains Exist for Nftables", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml", "template": null}