Update ubuntu2404 CIS control 4.3.8

controls/cis_ubuntu2404.yml

@@ -1398,10 +1398,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - nftables_ensure_default_deny_policy
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/3.5.2.8.
+    status: automated
 
   - id: 4.3.9
     title: Ensure nftables service is enabled (Automated)

linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Ensure nftables Default Deny Firewall Policy'
 
 description: |-
@@ -9,12 +8,23 @@ description: |-
    the firewall will accept any packet that is not configured to be denied and the packet will
    continue traversing the network stack.
 
+   {% if 'ubuntu' in product %}
+   Run the following commands and verify that base chains contain a policy of DROP.
+   <pre>
+   $ nft list ruleset | grep 'hook input'
+   type filter hook input priority 0; policy drop;
+   $ nft list ruleset | grep 'hook forward'
+   type filter hook forward priority 0; policy drop;
+   $ nft list ruleset | grep 'hook output'
+   type filter hook output priority 0; policy drop;
+   </pre>
+
 rationale: |
    It is easier to allow acceptable usage than to block unacceptable usage.
 
 severity: medium
 
-platform: package[nftables] and service_disabled[firewalld]
+platform: package[nftables] and service_disabled[firewalld] and service_disabled[ufw]
 
 identifiers:
     cce@sle15: CCE-92507-3