Ubuntu Security Certifications

Add better firewall detection for applying automated hardening

Bug #1927138 reported by Joshua Genet on 2021-05-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Security Certifications	Invalid	Undecided	Unassigned

Bug Description

Release: 20.04

In this case rule 3.5.3.1.3, but from what I can gather this also applies to the 3.5.x forks as well.

---

The memcached charm relies on ufw during the install hook. The current implementation of this rule removes ufw and causes a failure during the install hook.

Workaround (not accepted by Field) is to use custom rulesets as outlined here:
https://git.launchpad.net/~fips-cc-stig/fips-cc-stig/+git/ubuntu-security-guides/tree/cisbenchmark/README.hardening?h=Focal

Another workaround (not accepted by Solutions-QA) is to manually apply remediation:
Set xccdf_com.ubuntu.focal.cis_value_firewall_choice=ufw and manually apply remediation from section 3.5.1.x via your out-of-band hardening scripts.

Tags:

Revision history for this message

Richard Maciel Costa (richardmaciel) wrote on 2021-11-05:

As stated in the documentation, the USG only supports iptables as the firewall of choice. Newer versions of the USG may support other fw technologies, but to make this specific one support would require significate overhaul of the scripts.

Changed in ubuntu-security-certifications:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.