Ubuntu Security Guide

Checks set_loopback_traffic.sh and set_ipv6_loopback_traffic.sh use incorrect regex for parsing the output of `iptables -L INPUT -v -n`

Bug #2061215 reported by Przemyslaw Hausman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Security Guide
Fix Committed
Undecided
Miha Purg

Bug Description

usg version: 22.04.6

The following checks incorrectly parse the output of `ip6tables -L INPUT -v -n`:
-/usr/share/ubuntu-scap-security-guides/1/benchmarks/ubuntu2204/checks/sce/set_loopback_traffic.sh
-/usr/share/ubuntu-scap-security-guides/1/benchmarks/ubuntu2204/checks/sce/set_ipv6_loopback_traffic.sh

As a result, these checks return incorrect return value, marking the rule failed.

I have the system with the following rules:

```
# iptables -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 433K 94M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
    8 480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:17070 ctstate NEW
41174 2411K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:49152:49261 ctstate NEW
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11211
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3307
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3308
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3309
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9856
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9866
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9876
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:41142
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48922
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52970
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5672
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6641
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6642
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34207
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5405
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5555
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6081
  182 37934 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
```

Regular expression used in checks do not take into account letter "K" in the "bytes" column. As a result the check fails but it should be successful.

This is the regex currently implemented in scripts:
```
regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+lo\s+\*\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+--\s+\*\s+\*\s+127\.0\.0\.0\/8\s+0\.0\.0\.0\/0"
```

Revision history for this message
Miha Purg (mihap) wrote :

Hi Przemyslaw, thanks for reporting this!

As you point out the regex doesn't seem to account for the human readable format of packet counts and bytes. Adding the -x flag to iptables/ip6tables solves the issue.

I'll add the fix to the next release of usg for jammy (22.04.7).

Changed in usg:
status: New → In Progress
assignee: nobody → Miha Purg (mihap)
Miha Purg (mihap)
Changed in usg:
status: In Progress → Fix Committed
Revision history for this message
Przemyslaw Hausman (phausman) wrote :

Thank you, @mihap, adding `-x` seems like a nice fix!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.