Back

Configure the "nftables" to organizational standards.


CONTROL ID
15320
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure network protection settings to organizational standards., CC ID: 07601

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Ensure nftables base chains exist Description: Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. Rational… (3.5.2.6, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables rules are permanent Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the `/etc/sysconfig/nftables.conf` file for a nftables file or files to include in the nftables ruleset.… (3.5.2.11, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables is installed Description: nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, … (3.5.2.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables outbound and established connections are configured Description: Configure the firewall rules for new outbound and established connections Rationale: If rules are not in place for new outbound and established connections, all packets will be dropped by the default policy preventing n… (3.5.2.8, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables either not installed or masked with firewalld Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/ frames and is the successor to iptables. _Note: Support for using nftables as the back-end for firewalld was add… (3.5.1.3, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network Rationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the s… (3.5.2.7, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure an nftables table exists Description: Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families. Rationale: nftables doesn't have any default tables. Without a table being build, nftables will not filter network… (3.5.2.5, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables default deny firewall policy Description: Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. Rationale: There are two policies: accept (Default) and drop. If the policy is set to `accept`, the firewall will accept any packet that i… (3.5.2.9, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables is not installed with iptables Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. Rationale: Running both `iptables` and `nftables` may lead to conflict. Remediation Pro… (3.5.3.1.2, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables service is enabled Description: The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service Rationale: The nftables service restores the nftables rules from the rules files referenced in the `/etc/sysconfig/nftables.conf` file dur… (3.5.2.10, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nftables rules are permanent Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the `/etc/sysconfig/nftables.conf` file for a nftables file or files to include in the nftables ruleset.… (3.5.2.11, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables outbound and established connections are configured Description: Configure the firewall rules for new outbound and established connections Rationale: If rules are not in place for new outbound and established connections, all packets will be dropped by the default policy preventing n… (3.5.2.8, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables base chains exist Description: Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. Rational… (3.5.2.6, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network Rationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the s… (3.5.2.7, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure an nftables table exists Description: Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families. Rationale: nftables doesn't have any default tables. Without a table being build, nftables will not filter network… (3.5.2.5, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables either not installed or masked with firewalld Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/ frames and is the successor to iptables. _Note: Support for using nftables as the back-end for firewalld was add… (3.5.1.3, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables is not installed with iptables Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. Rationale: Running both `iptables` and `nftables` may lead to conflict. Remediation Pro… (3.5.3.1.2, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables service is enabled Description: The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service Rationale: The nftables service restores the nftables rules from the rules files referenced in the `/etc/sysconfig/nftables.conf` file dur… (3.5.2.10, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables is installed Description: nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, … (3.5.2.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables default deny firewall policy Description: Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. Rationale: There are two policies: accept (Default) and drop. If the policy is set to `accept`, the firewall will accept any packet that i… (3.5.2.9, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure nftables base chains exist Description: Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. Rational… (3.4.3.3, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure nftables outbound and established connections are configured Description: Configure the firewall rules for new outbound, and established connections Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing … (3.4.3.5, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure nftables service is enabled Description: The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service Rationale: The nftables service restores the nftables rules from the rules files referenced in the `/etc/sysconfig/nftables.conf` file dur… (3.4.3.7, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure nftables is not enabled with firewalld Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. nftables are installed as a dependency with firewalld. Rationale: Running firewalld and … (3.4.2.3, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure nftables default deny firewall policy Description: Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. Rationale: There are two policies: accept (Default) and drop. If the policy is set to `accept`, the firewall will accept any packet that i… (3.4.3.6, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure nftables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network Rationale: Loopback traffic is generated between processes on a machine and is typically critical to operation of the… (3.4.3.4, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure nftables rules are permanent Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the `/etc/sysconfig/nftables.conf` file for a nftables file or files to include in the nftables ruleset.… (3.4.3.8, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure an nftables table exists Description: Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families. Rationale: nftables doesn't have any default tables. Without a table being build, nftables will not filter network… (3.4.3.2, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure an nftables table exists Description: Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families. Rationale: nftables doesn't have any default tables. Without a table being build, nftables will not filter network… (3.4.3.2, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables rules are permanent Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the `/etc/sysconfig/nftables.conf` file for a nftables file or files to include in the nftables ruleset.… (3.4.3.8, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network Rationale: Loopback traffic is generated between processes on a machine and is typically critical to operation of the… (3.4.3.4, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables base chains exist Description: Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. Rational… (3.4.3.3, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables default deny firewall policy Description: Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. Rationale: There are two policies: accept (Default) and drop. If the policy is set to `accept`, the firewall will accept any packet that i… (3.4.3.6, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables is not enabled with firewalld Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. nftables are installed as a dependency with firewalld. Rationale: Running firewalld and … (3.4.2.3, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables service is enabled Description: The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service Rationale: The nftables service restores the nftables rules from the rules files referenced in the `/etc/sysconfig/nftables.conf` file dur… (3.4.3.7, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure nftables outbound and established connections are configured Description: Configure the firewall rules for new outbound, and established connections Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing … (3.4.3.5, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)