From 5a1fb4154a31d6df82487483bc9b1906fe6afc58 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Wed, 27 Nov 2024 15:18:59 +0100
Subject: [PATCH] Remove Ubuntu oval and remediation for
 nftables_rules_permanent

Existing ubuntu OVAL checks only whether configuration files are
included in /etc/nftables.conf, and whether they are not empty.
It doesn't check for actual contents, giving a false sense of
correctness when the check passes.

The Ubuntu CIS recommendations require that the content matches
local site policy, which is not possible to automate, thus
removing the audit and remediation.
---
 .../nftables_rules_permanent/bash/ubuntu.sh   | 18 --------
 .../nftables_rules_permanent/oval/ubuntu.xml  | 43 -------------------
 .../nftables_rules_permanent/rule.yml         |  2 +-
 3 files changed, 1 insertion(+), 62 deletions(-)
 delete mode 100644 linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
 delete mode 100644 linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml

diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
deleted file mode 100644
index f5cd2afef19..00000000000
--- a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-# platform = multi_platform_ubuntu
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = high
-
-{{{ bash_instantiate_variables("var_nftables_master_config_file") }}}
-
-{{{ bash_instantiate_variables("var_nftables_family") }}}
-
-if [ ! -f "${var_nftables_master_config_file}" ]; then
-    touch "${var_nftables_master_config_file}"
-fi
-
-nft list ruleset > "/etc/${var_nftables_family}-filter.rules"
-
-grep -qxF 'include "/etc/'"${var_nftables_family}"'-filter.rules"' "${var_nftables_master_config_file}" \
-    || echo 'include "/etc/'"${var_nftables_family}"'-filter.rules"' >> "${var_nftables_master_config_file}"
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml
deleted file mode 100644
index a1aec949bb0..00000000000
--- a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml
+++ /dev/null
@@ -1,43 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-      {{{ oval_metadata("Make sure that there is permanent nftables configuration file used
-          to save and re-apply rules on reboot") }}}
-    <criteria operator="AND">
-      <criterion test_ref="test_etc_nftables_conf_file"
-          comment="/etc/nftables.conf exists and include entry present" />
-      <criterion test_ref="test_etc_nftables_conf_include_file_exists"
-          comment="Check if file in include entry exists and not empty" />
-    </criteria>
-  </definition>
-
-  <ind:textfilecontent54_test id="test_etc_nftables_conf_file"
-      comment="Check the existence of /etc/nftables.conf file"
-      check="all" check_existence="all_exist" version="1">
-    <ind:object object_ref="object_etc_nftables_conf_file" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_test id="test_etc_nftables_conf_include_file_exists"
-      comment="Check if file in include entry exists in system"
-      check="all" check_existence="all_exist" version="1">
-    <ind:object object_ref="object_etc_nftables_conf_include_file_exists" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_etc_nftables_conf_file" version="1">
-    <ind:filepath operation="equals" var_ref="var_nftables_master_config_file"/>
-    <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_object id="object_etc_nftables_conf_include_file_exists" version="1">
-    <ind:filepath operation="equals" var_ref="var_include_entry_config_path"/>
-    <ind:pattern operation="pattern match">^.*$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <external_variable comment="file path" datatype="string"
-                     id="var_nftables_master_config_file" version="1"/>
-
-  <local_variable id="var_include_entry_config_path" datatype="string" version="1"
-    comment="File path of the include entry in nftables configuration">
-    <object_component item_field="subexpression" object_ref="object_etc_nftables_conf_file" />
-  </local_variable>
-</def-group>
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
index c0d61ce7d35..1414ee5c298 100644
--- a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
 
 severity: medium
 
-platform: package[nftables] and service_disabled[firewalld]
+platform: package[nftables] and service_disabled[firewalld] and service_disabled[ufw]
 
 identifiers:
     cce@sle15: CCE-92485-2