{"description": "nftables is a subsystem of the Linux kernel providing filtering and classification of\nnetwork packets/datagrams/frames. The nftables service reads the\n<sub idref=\"var_nftables_master_config_file\" /> file for a nftables file or files to\ninclude in the nftables ruleset. A nftables ruleset containing the input, forward, and output\nbase chains allow network traffic to be filtered.", "rationale": "Changes made to nftables ruleset only affect the live system, you will also need to configure\nthe nftables ruleset to apply on boot", "severity": "medium", "references": {"cis": ["4.2.10"]}, "control_references": {"cis": ["4.2.10"]}, "components": [], "identifiers": {}, "ocil_clause": "no nftables configuration exist", "ocil": "Run the following commands to verify that input, forward, and output base chains are\nconfigured to be applied to a nftables ruleset on boot.\nRun the following command to verify the input base chain:\n<pre>\n# awk '/hook input/,/}/' $(awk '$1 ~ /^\\s*include/ { gsub(\"\\\"\",\"\",$2);print $2 }' \\\n<sub idref=\"var_nftables_master_config_file\" />)\n</pre>\nor for forward base chain:\n<pre>\n# awk '/hook forward/,/}/' $(awk '$1 ~ /^\\s*include/ { gsub(\"\\\"\",\"\",$2);print $2 }' \\\n<sub idref=\"var_nftables_master_config_file\" />)\n</pre>\nReview the base chains to ensure that they follow local site policy", "oval_external_content": null, "fixtext": "Edit the <sub idref=\"var_nftables_master_config_file\" /> file and un-comment or add\na line with include absolute path to nftables rules file for each nftables file you want\nincluded in the nftables ruleset on boot.\nFor example the  <sub idref=\"var_nftables_master_config_file\" /> should contain\n<pre>include \"/etc/nftables/nftables.rules\"</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[nftables] and service_disabled[firewalld]", "platforms": ["package[nftables] and service_disabled[firewalld]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_nftables_and_service_disabled_firewalld"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure nftables Rules are Permanent", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml", "template": null}