Ubuntu Pro

USG CIS / DISA STIG 'usg' fix script breaks DNS

Bug #2043651 reported by Mike Ferreira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Pro
New
Undecided
Unassigned

Bug Description

To ensure USG CIS / DISA STIG compliance for cis_level1_workstation, for this:
>>>
The firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter.
>>>
On a fresh install of Ubuntu Desktop 22.04.3, before attahig to Ubuntu Pro, DNS works.

After installing ubuntu-advanayge-tools, attaching to Ubuntu Pro, enabling USG, installing 'usg', then doing
...
sudo usg fix cis_level1_workstation
...
After the fix, it breaks DNS.

The problem there it that it installs nftables with an unconfigured table, with no rules.

This has come up twice for support at Ubuntu Forums:
https://ubuntuforums.org/showthread.php?t=2491597
https://ubuntuforums.org/showthread.php?t=2492542

In both threads, the users disabled and uninstalled nftables to get their DNS working. The breaks compliance with the STIG. That is a security vulnerability as it relates to the STIG.

I don't know if it was needed, But I created a generic netplan yaml, and switched to networkd, Tha alone did not fix it.

I created these inet filter rules:
...
sudo nft add rule inet filter input ip protocol udp ct state established accept
sudo nft add rule inet filter input ip protocol icmp ct state established accept
sudo nft add rule inet filter output ip protocol tcp ct state new,related,established accept
sudo nft add rule inet filter output ip protocol udp ct state new,related,established accept
sudo nft add rule inet filter output ip protocol icmp ct state new,related,established accept
sudo nft add rule inet filter input udp dport 53 accept
sudo nft add rule inet filter input tcp dport 53 accept
sudo nft add rule inet filter output udp dport 53 accept
sudo nft add rule inet filter output tcp dport 53 accept
...
Then replaced the symlink to where resolv.conf is pointing to
...
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
...
DNS now works after making those changes, and the USG Audit passes.

Revision history for this message
Mike Ferreira (mafoelffen) wrote :
information type: Private Security → Public
Revision history for this message
Mike Ferreira (mafoelffen) wrote :

For some reason, it will not let me upload the inet-filter.rules... So here is the contents of the current:
...
table inet filter {
 chain input {
  type filter hook input priority filter; policy accept;
  ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
  iif "lo" accept
  ip6 saddr ::1 counter packets 0 bytes 0 drop
                ip protocol tcp ct state established accept
                ip protocol udp ct state established accept
                ip protocol icmp ct state established accept
                tcp dport 53 accept
                udp dport 53 accept
 }
 chain forward {
  type filter hook forward priority filter; policy accept;
 }
 chain output {
  type filter hook output priority filter; policy accept;
  ip protocol tcp ct state established,related,new accept
  ip protocol udp ct state established,related,new accept
  ip protocol icmp ct state established,related,new accept
                tcp dport 80 accept
                tcp dport 443 accept
  udp dport 53 accept
  tcp dport 53 accept
 }
}
...

Revision history for this message
Mike Ferreira (mafoelffen) wrote :

Well, It works, but looking at the audit, there is some tweaking to do to satify this, which is a medium risk fail: "Ensure nftables default deny firewall policy"

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.