Detections
Analytics

4.3.4 Ensure nftables loopback traffic is configured

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following script to implement the loopback rules:

#!/usr/bin/env bash

{ l_hbfw=""
 if systemctl is-enabled firewalld.service 2>/dev/null | grep -q 'enabled'; then
 echo -e "
 - FirewallD is in use on the system
 - Recommendation is NA
- Remediation Complete" && l_hbfw="fwd"
 elif systemctl is-enabled nftables.service | grep -q 'enabled'; then
 l_hbfw="nft"
 fi
 if [ "$l_hbfw" = "nft" ]; then
 l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hooks+inputs+/,/}s*(#.*)?$/' | grep -P -- 'iph+saddr')"
 if ! nft list ruleset | awk '/hooks+inputs+/,/}s*(#.*)?$/' | grep -Pq -- 'H+h+"lo"h+accept'; then
 echo -e "
 - Enabling input to accept for loopback address"
 nft add rule inet filter input iif lo accept
 else
 echo -e "
 -nftables input correctly configured to accept for loopback address"
 fi
 if ! grep -Pq -- 'iph+saddrh+127.0.0.0/8h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ipsaddr" &amp;&amp; ! grep -Pq -- 'iph+daddrh+!=h+127.0.0.1h+iph+saddrh+127.0.0.1h+drop' <<< "$l_ipsaddr"; then
 echo -e "
 - Setting IPv4 network traffic from loopback address to drop"
 nft add rule inet filter input ip saddr 127.0.0.0/8 counter drop
 else
 echo -e "
 -nftables correctly configured IPv4 network traffic from loopback address to drop"
 fi
 if grep -Pq -- '^h*0h*$' /sys/module/ipv6/parameters/disable; then
 l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
 if ! grep -Pq 'ip6h+saddrh+::1h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ip6saddr" &amp;&amp; ! grep -Pq -- 'ip6h+daddrh+!=h+::1h+ip6h+saddrh+::1h+drop' <<< "$l_ip6saddr"; then
 echo -e "
 - Setting IPv6 network traffic from loopback address to drop"
 nft add rule inet filter input ip6 saddr ::1 counter drop
 else
 echo -e "
 - nftables IPv6 network traffic from loopback address to drop"
 fi
 fi
 fi
}

See Also

https://workbench.cisecurity.org/benchmarks/18211

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: f9d14f39ad21f06ff6f516d1c66d7fb232093b00942be51a90571cfb418d2ac4