USG CIS / DISA STIG 'usg' fix script breaks DNS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Pro |
New
|
Undecided
|
Unassigned |
Bug Description
To ensure USG CIS / DISA STIG compliance for cis_level1_
>>>
The firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter.
>>>
On a fresh install of Ubuntu Desktop 22.04.3, before attahig to Ubuntu Pro, DNS works.
After installing ubuntu-
...
sudo usg fix cis_level1_
...
After the fix, it breaks DNS.
The problem there it that it installs nftables with an unconfigured table, with no rules.
This has come up twice for support at Ubuntu Forums:
https:/
https:/
In both threads, the users disabled and uninstalled nftables to get their DNS working. The breaks compliance with the STIG. That is a security vulnerability as it relates to the STIG.
I don't know if it was needed, But I created a generic netplan yaml, and switched to networkd, Tha alone did not fix it.
I created these inet filter rules:
...
sudo nft add rule inet filter input ip protocol udp ct state established accept
sudo nft add rule inet filter input ip protocol icmp ct state established accept
sudo nft add rule inet filter output ip protocol tcp ct state new,related,
sudo nft add rule inet filter output ip protocol udp ct state new,related,
sudo nft add rule inet filter output ip protocol icmp ct state new,related,
sudo nft add rule inet filter input udp dport 53 accept
sudo nft add rule inet filter input tcp dport 53 accept
sudo nft add rule inet filter output udp dport 53 accept
sudo nft add rule inet filter output tcp dport 53 accept
...
Then replaced the symlink to where resolv.conf is pointing to
...
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/
...
DNS now works after making those changes, and the USG Audit passes.
For some reason, it will not let me upload the inet-filter. rules.. . So here is the contents of the current: related, new accept related, new accept related, new accept
...
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
iif "lo" accept
ip6 saddr ::1 counter packets 0 bytes 0 drop
ip protocol tcp ct state established accept
ip protocol udp ct state established accept
ip protocol icmp ct state established accept
tcp dport 53 accept
udp dport 53 accept
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
ip protocol tcp ct state established,
ip protocol udp ct state established,
ip protocol icmp ct state established,
tcp dport 80 accept
tcp dport 443 accept
udp dport 53 accept
tcp dport 53 accept
}
}
...