From 49036c8738685ae0e65f03c7176a9ec6c9463064 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Tue, 18 Apr 2023 17:19:00 +0200
Subject: [PATCH] Add Ubuntu SCE checks for iptables rules

---
 .../set_ip6tables_default_rule/sce/ubuntu.sh  | 26 +++++++++++++++++++
 .../set_ipv6_loopback_traffic/sce/ubuntu.sh   | 22 ++++++++++++++++
 .../set_loopback_traffic/sce/ubuntu.sh        | 17 ++++++++++++
 .../set_iptables_default_rule/sce/ubuntu.sh   | 21 +++++++++++++++
 4 files changed, 86 insertions(+)
 create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/sce/ubuntu.sh
 create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh
 create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/ubuntu.sh
 create mode 100644 linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/sce/ubuntu.sh

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/sce/ubuntu.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/sce/ubuntu.sh
new file mode 100644
index 00000000000..d93a6fcf024
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/sce/ubuntu.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+# Pass rule if IPv6 is disabled on kernel
+if [ ! -e /proc/sys/net/ipv6/conf/all/disable_ipv6 ] || [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" -eq 1 ]; then
+    exit "$XCCDF_RESULT_PASS"
+fi
+
+output="$(ip6tables -L | grep Chain)"
+if [ -z "${output}" ]; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+while read -r line; do
+    chain=$(echo "$line" | awk '{print $1, $2}')
+    policy=$(echo "$line" | awk '{print $4}' | tr -d ")")
+    if [ "$chain" = "Chain INPUT" ] || [ "$chain" = "Chain FORWARD" ] ||
+       [ "$chain" = "Chain OUTPUT" ]; then
+        if [ "$policy" != "DROP" ] && [ "$policy" != "REJECT" ]; then
+            exit "$XCCDF_RESULT_FAIL"
+        fi
+    fi
+done <<< "$output"
+
+exit "$XCCDF_RESULT_PASS"
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh
new file mode 100644
index 00000000000..7bb92e60569
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+# Pass rule if IPv6 is disabled on kernel
+if [ ! -e /proc/sys/net/ipv6/conf/all/disable_ipv6 ] || [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" -eq 1 ]; then
+    exit "$XCCDF_RESULT_PASS"
+fi
+
+regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+lo\s+\*\s+::\/0\s+::\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+\*\s+\*\s+::1\s+::\/0"
+
+# Check chain INPUT for loopback related rules
+if ! ip6tables -L INPUT -v -n | grep -Ezq "$regex" ; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+ # Check chain OUTPUT for loopback related rules
+if ! ip6tables -L OUTPUT -v -n | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+\*\s+lo\s+::\/0\s+::\/0" ; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+exit "$XCCDF_RESULT_PASS"
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/ubuntu.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/ubuntu.sh
new file mode 100644
index 00000000000..50abdbdbbf9
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/ubuntu.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+lo\s+\*\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+--\s+\*\s+\*\s+127\.0\.0\.0\/8\s+0\.0\.0\.0\/0"
+
+# Check chain INPUT for loopback related rules
+if ! iptables -L INPUT -v -n | grep -Ezq "$regex" ; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+# Check chain OUTPUT for loopback related rules
+if ! iptables -L OUTPUT -v -n | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+\*\s+lo\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0" ; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+exit "$XCCDF_RESULT_PASS"
diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/sce/ubuntu.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/sce/ubuntu.sh
new file mode 100644
index 00000000000..3e2ca642446
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/sce/ubuntu.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+output="$(iptables -L | grep Chain)"
+if [ -z "${output}" ]; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+while read -r line; do
+    chain=$(echo "$line" | awk '{print $1, $2}')
+    policy=$(echo "$line" | awk '{print $4}' | tr -d ')')
+    if [ "$chain" = "Chain INPUT" ] || [ "$chain" = "Chain FORWARD" ] ||
+        [ "$chain" = "Chain OUTPUT" ]; then
+        if [ "$policy" != "DROP" ] && [ "$policy" != "REJECT" ]; then
+            exit "$XCCDF_RESULT_FAIL"
+        fi
+    fi
+done <<< "$output"
+
+exit "${XCCDF_RESULT_PASS}"