Merge pull request #12649 from mpurg/revert-12643-ubuntu_nftables_per…

…manent

Revert "Remove Ubuntu oval and remediation for nftables_rules_permanent"

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh

@@ -0,0 +1,18 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = high
+
+{{{ bash_instantiate_variables("var_nftables_master_config_file") }}}
+
+{{{ bash_instantiate_variables("var_nftables_family") }}}
+
+if [ ! -f "${var_nftables_master_config_file}" ]; then
+    touch "${var_nftables_master_config_file}"
+fi
+
+nft list ruleset > "/etc/${var_nftables_family}-filter.rules"
+
+grep -qxF 'include "/etc/'"${var_nftables_family}"'-filter.rules"' "${var_nftables_master_config_file}" \
+    || echo 'include "/etc/'"${var_nftables_family}"'-filter.rules"' >> "${var_nftables_master_config_file}"

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml

@@ -0,0 +1,43 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Make sure that there is permanent nftables configuration file used
+          to save and re-apply rules on reboot") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_etc_nftables_conf_file"
+          comment="/etc/nftables.conf exists and include entry present" />
+      <criterion test_ref="test_etc_nftables_conf_include_file_exists"
+          comment="Check if file in include entry exists and not empty" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_etc_nftables_conf_file"
+      comment="Check the existence of /etc/nftables.conf file"
+      check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_etc_nftables_conf_file" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="test_etc_nftables_conf_include_file_exists"
+      comment="Check if file in include entry exists in system"
+      check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_etc_nftables_conf_include_file_exists" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_etc_nftables_conf_file" version="1">
+    <ind:filepath operation="equals" var_ref="var_nftables_master_config_file"/>
+    <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_etc_nftables_conf_include_file_exists" version="1">
+    <ind:filepath operation="equals" var_ref="var_include_entry_config_path"/>
+    <ind:pattern operation="pattern match">^.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <external_variable comment="file path" datatype="string"
+                     id="var_nftables_master_config_file" version="1"/>
+
+  <local_variable id="var_include_entry_config_path" datatype="string" version="1"
+    comment="File path of the include entry in nftables configuration">
+    <object_component item_field="subexpression" object_ref="object_etc_nftables_conf_file" />
+  </local_variable>
+</def-group>

linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml

@@ -16,7 +16,7 @@ rationale: |-
 
 severity: medium
 
-platform: package[nftables] and service_disabled[firewalld] and service_disabled[ufw]
+platform: package[nftables] and service_disabled[firewalld]
 
 identifiers:
     cce@sle15: CCE-92485-2