From 5f7778ec1ace25877f9b7c5e972e2acadd32c0a6 Mon Sep 17 00:00:00 2001
From: Miha Purg <gith.sjfk@tuta.io>
Date: Thu, 28 Nov 2024 15:03:26 +0100
Subject: [PATCH] Revert "Remove Ubuntu oval and remediation for
 nftables_rules_permanent"

---
 .../nftables_rules_permanent/bash/ubuntu.sh   | 18 ++++++++
 .../nftables_rules_permanent/oval/ubuntu.xml  | 43 +++++++++++++++++++
 .../nftables_rules_permanent/rule.yml         |  2 +-
 3 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
 create mode 100644 linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml

diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
new file mode 100644
index 00000000000..f5cd2afef19
--- /dev/null
+++ b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/ubuntu.sh
@@ -0,0 +1,18 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = high
+
+{{{ bash_instantiate_variables("var_nftables_master_config_file") }}}
+
+{{{ bash_instantiate_variables("var_nftables_family") }}}
+
+if [ ! -f "${var_nftables_master_config_file}" ]; then
+    touch "${var_nftables_master_config_file}"
+fi
+
+nft list ruleset > "/etc/${var_nftables_family}-filter.rules"
+
+grep -qxF 'include "/etc/'"${var_nftables_family}"'-filter.rules"' "${var_nftables_master_config_file}" \
+    || echo 'include "/etc/'"${var_nftables_family}"'-filter.rules"' >> "${var_nftables_master_config_file}"
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml
new file mode 100644
index 00000000000..a1aec949bb0
--- /dev/null
+++ b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/ubuntu.xml
@@ -0,0 +1,43 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Make sure that there is permanent nftables configuration file used
+          to save and re-apply rules on reboot") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_etc_nftables_conf_file"
+          comment="/etc/nftables.conf exists and include entry present" />
+      <criterion test_ref="test_etc_nftables_conf_include_file_exists"
+          comment="Check if file in include entry exists and not empty" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_etc_nftables_conf_file"
+      comment="Check the existence of /etc/nftables.conf file"
+      check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_etc_nftables_conf_file" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="test_etc_nftables_conf_include_file_exists"
+      comment="Check if file in include entry exists in system"
+      check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_etc_nftables_conf_include_file_exists" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_etc_nftables_conf_file" version="1">
+    <ind:filepath operation="equals" var_ref="var_nftables_master_config_file"/>
+    <ind:pattern operation="pattern match">^[\s]*include[\s]+\"([^\s]+)"$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_etc_nftables_conf_include_file_exists" version="1">
+    <ind:filepath operation="equals" var_ref="var_include_entry_config_path"/>
+    <ind:pattern operation="pattern match">^.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <external_variable comment="file path" datatype="string"
+                     id="var_nftables_master_config_file" version="1"/>
+
+  <local_variable id="var_include_entry_config_path" datatype="string" version="1"
+    comment="File path of the include entry in nftables configuration">
+    <object_component item_field="subexpression" object_ref="object_etc_nftables_conf_file" />
+  </local_variable>
+</def-group>
diff --git a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
index 1414ee5c298..c0d61ce7d35 100644
--- a/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
 
 severity: medium
 
-platform: package[nftables] and service_disabled[firewalld] and service_disabled[ufw]
+platform: package[nftables] and service_disabled[firewalld]
 
 identifiers:
     cce@sle15: CCE-92485-2