CIS 3.5.4.1.4 on bionic does not work for some cases.

It looks like we have bugs in the CIS hardening script for rule "Ensure firewall rules exist for all open ports" (CIS 3.5.4.1.4)

First ;

There may be listening ports assigned to specific interface and IP like below (Which is also the case we've met with a customer) :

udp 10.10.10.10%ens3 68

In the script "10.10.10.10%ens3" part completely assigned to addr variable and it is not possible to parse this value in iptables rules with :

iptables -n -L INPUT -v | tail -n+3 | tr -s ' ' | cut -d ' ' -f4,5,7,9,10,11,12 |\
     grep -P "^ACCEPT\s+${proto}\s+[^\s]+(?<!\blo)\s+0.0.0.0/0\s+${addr}(/0)?\s+${proto}\s+dpt:${port}"

So it returns 1.

Secondly ;

Also, if there is a listening port (for example 22) on 0.0.0.0 and the iptables rule was written with a limited source IP like below :

sudo iptables -A INPUT -p tcp -s 5.0.0.0/12 -d 192.168.122.36 --dport 22 -j ACCEPT

Again it is failing and returns exit 1. Because it expects 0.0.0.0/0 as source IP. I think, it should return 0 as there would be a firewall rule for this open port (22). It should not be needed to be opened to the world (0.0.0.0/0).

It affects one of our customers. They have a listening port like udp 10.10.10.10%ens3 68.