Merge pull request ComplianceAsCode#14116 from jorgenuhr/ComplianceAsCode#14093-xccdf_org.ssgproject.content_rule_set_loopback_traffic

ComplianceAsCode#14093 - script for checking iptable rules

Author: vojtapolasek

linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh

@@ -1,17 +1,29 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # platform = multi_platform_sle,multi_platform_ubuntu
 # check-import = stdout
 
-regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+lo\s+\*\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+--\s+\*\s+\*\s+127\.0\.0\.0\/8\s+0\.0\.0\.0\/0"
+# Check that iptables exist in current path
+if ! command -v iptables >/dev/null; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
 
-# Check chain INPUT for loopback related rules
-if ! iptables -L INPUT -v -n -x | grep -Ezq "$regex" ; then
+# Get current rules
+rules=$(iptables -S)
+
+# Check for "-A INPUT -i lo -j ACCEPT"
+if [[ ! "$rules" =~ "-A INPUT -i lo -j ACCEPT" ]]; then
     exit "$XCCDF_RESULT_FAIL"
 fi
 
-# Check chain OUTPUT for loopback related rules
-if ! iptables -L OUTPUT -v -n -x | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+\*\s+lo\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0" ; then
+# Check for "-A OUTPUT -o lo -j ACCEPT"
+if [[ ! "$rules" =~ "-A OUTPUT -o lo -j ACCEPT" ]]; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+# Check for "-A INPUT -s 127.0.0.0/8 -j DROP"
+if [[ ! "$rules" =~ "-A INPUT -s 127.0.0.0/8 -j DROP" ]]; then
     exit "$XCCDF_RESULT_FAIL"
 fi
 
 exit "$XCCDF_RESULT_PASS"
+