Verify nftables Service is Enabled

Docs > Datadog Security > OOTB Rules > Verify nftables Service is Enabled

Classification:

compliance

Framework:

Control:

Description

The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service

The nftables service can be enabled with the following command:

$ sudo systemctl enable nftables.service

Rationale

The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" unmask 'nftables.service'
"$SYSTEMCTL\_EXEC" start 'nftables.service'
"$SYSTEMCTL\_EXEC" enable 'nftables.service'

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Enable service nftables
 block:

 - name: Gather the package facts
 package\_facts:
 manager: auto

 - name: Enable service nftables
 systemd:
 name: nftables
 enabled: 'yes'
 state: started
 masked: 'no'
 when:
 - '"nftables" in ansible\_facts.packages'
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - enable\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - service\_nftables\_enabled