3.4.3.8 Ensure nftables rules are permanent

Information

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames.
The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or files to include in the nftables ruleset.
A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered.
Rationale:
Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot example:
# vi /etc/sysconfig/nftables.conf
Add the line:
include "/etc/nftables/nftables.rules"

See Also

https://workbench.cisecurity.org/files/2485

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(3)

Plugin: Unix

Control ID: 1472fda21b5bae6b98e18ceedbd45a6e7abe230d0202dc46893102269024f22a