Verify nftables Service is Disabled

Docs > Datadog Security > OOTB Rules > Verify nftables Service is Disabled

Classification:

compliance

Framework:

Control:

Description

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The nftables service can be disabled with the following command:

systemctl disable nftables

Rationale

Running both firewalld and nftables may lead to conflict. nftables is actually one of the backends for firewalld management tools.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'nftables.service'
"$SYSTEMCTL\_EXEC" disable 'nftables.service'
"$SYSTEMCTL\_EXEC" mask 'nftables.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL\_EXEC" -q list-unit-files nftables.socket; then
 "$SYSTEMCTL\_EXEC" stop 'nftables.socket'
 "$SYSTEMCTL\_EXEC" mask 'nftables.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'nftables.service' || true

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Block Disable service nftables
 block:

 - name: Disable service nftables
 block:

 - name: Disable service nftables
 systemd:
 name: nftables.service
 enabled: 'no'
 state: stopped
 masked: 'yes'
 rescue:

 - name: Intentionally ignored previous 'Disable service nftables' failure, service
 was already disabled
 meta: noop
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - service\_nftables\_disabled

- name: Unit Socket Exists - nftables.socket
 command: systemctl list-unit-files nftables.socket
 register: socket\_file\_exists
 changed\_when: false
 failed\_when: socket\_file\_exists.rc not in [0, 1]
 check\_mode: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - service\_nftables\_disabled

- name: Disable socket nftables
 systemd:
 name: nftables.socket
 enabled: 'no'
 state: stopped
 masked: 'yes'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"nftables.socket" in socket\_file\_exists.stdout\_lines[1]'
 tags:
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - service\_nftables\_disabled