From 17c3a63f1c6326bab7c3d3e2d4b7c5cc11a96935 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=BB=BB=E6=BD=87?= <renxiao041@163.com>
Date: Mon, 24 Apr 2023 11:23:46 +0000
Subject: [PATCH 1/4] add
 benchmarks/system-configurations/4.71-ensure-nftables-is-not-installed.md.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 任潇 <renxiao041@163.com>
---
 .../4.71-ensure-nftables-is-not-installed.md  | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 benchmarks/system-configurations/4.71-ensure-nftables-is-not-installed.md

diff --git a/benchmarks/system-configurations/4.71-ensure-nftables-is-not-installed.md b/benchmarks/system-configurations/4.71-ensure-nftables-is-not-installed.md
new file mode 100644
index 0000000..bf87d30
--- /dev/null
+++ b/benchmarks/system-configurations/4.71-ensure-nftables-is-not-installed.md
@@ -0,0 +1,37 @@
+# 4.71 确保 nftables 未安装
+
+## 安全等级
+
+- level 1
+
+## 描述
+
+`nftables`是Linux内核的一个子系统，它提供网络包/数据报/帧的过滤和分类功能，是`iptables`的替代品。同时运行这两个子系统可能导致冲突。
+
+## 修复建议
+
+移除`nftables`。
+
+1. 执行以下命令以移除`nftables`：
+
+```bash
+# yum remove nftables
+```
+
+## 扫描检测
+
+确保`nftables`已经删除。
+
+1. 执行以下命令，验证`nftables`是否已经移除：
+
+```bash
+# rpm -q nftables
+package nftables is not installed
+```
+
+如果命令执行后返回结果如上所示，则视为通过此项检查。
+
+## 参考
+
+- cis: <https://www.cisecurity.org/benchmark/aliyun_linux>
+
-- 
Gitee


From cb7d944fd3f28a7534e2fbdbabbdd89243c29c98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=BB=BB=E6=BD=87?= <renxiao041@163.com>
Date: Mon, 24 Apr 2023 11:26:11 +0000
Subject: [PATCH 2/4] add scanner file 4.71-ensure-nftables-is-not-installed.sh
 for 4.71-ensure-nftables-is-not-installed.md.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 任潇 <renxiao041@163.com>
---
 .../4.71-ensure-nftables-is-not-installed.sh             | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 scanners/system-configurations/4.71-ensure-nftables-is-not-installed.sh

diff --git a/scanners/system-configurations/4.71-ensure-nftables-is-not-installed.sh b/scanners/system-configurations/4.71-ensure-nftables-is-not-installed.sh
new file mode 100644
index 0000000..23fed69
--- /dev/null
+++ b/scanners/system-configurations/4.71-ensure-nftables-is-not-installed.sh
@@ -0,0 +1,9 @@
+result=true
+
+rpm -qa | grep -c nftables >/dev/null && result=false
+
+if [ "$result" == true ]; then
+  echo "pass"
+else
+  echo "fail"
+fi
-- 
Gitee


From 32e9af95786d7b35e8cc5e7a36842373abf490c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=BB=BB=E6=BD=87?= <renxiao041@163.com>
Date: Mon, 24 Apr 2023 11:27:44 +0000
Subject: [PATCH 3/4] add file 4.71-ensure-nftables-is-not-installed.sh for
 4.71-ensure-nftables-is-not-installed.md.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 任潇 <renxiao041@163.com>
---
 .../4.71-ensure-nftables-is-not-installed.sh       | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 remediation-kits/system-configurations/4.71-ensure-nftables-is-not-installed.sh

diff --git a/remediation-kits/system-configurations/4.71-ensure-nftables-is-not-installed.sh b/remediation-kits/system-configurations/4.71-ensure-nftables-is-not-installed.sh
new file mode 100644
index 0000000..fbac8fd
--- /dev/null
+++ b/remediation-kits/system-configurations/4.71-ensure-nftables-is-not-installed.sh
@@ -0,0 +1,14 @@
+result=true
+
+rpm -qa | grep -c nftables >/dev/null && result=false
+
+if [ "$result" == true ]; then
+   echo "nftables has been uninstalled."
+else
+   systemctl stop nftables
+   yum remove -y nftables
+   rm -rf /etc/nftables.conf
+   rm -rf /etc/systemd/system/nftables.service
+   rm -rf /var/log/nftables.log
+   echo "nftables uninstalled."
+fi
-- 
Gitee


From 9dcbb0dafdc29b52fc254a645e39cee7966af78f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=BB=BB=E6=BD=87?= <renxiao041@163.com>
Date: Mon, 24 Apr 2023 11:37:50 +0000
Subject: [PATCH 4/4] update docs/summary-of-rules.md.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 任潇 <renxiao041@163.com>
---
 docs/summary-of-rules.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index c97f4f0..0af431e 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -171,6 +171,7 @@
 | 4.68     | 4.68-ensure-permissions-TMP-is-correct.md                    | 4.68 为公共目录/tmp添加粘贴位                        | benchmarks/system-configurations    | 1     |
 | 4.69     | 4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.md | 4.69 严格要求SSH公私钥文件权限配置正确               | benchmarks/system-configurations    | 3     |
 | 4.70     | 4.70-ensure-xdmcp-is-not-enabled.md                          | 4.70 确保没有启用XDMCP                               | benchmarks/system-configurations    | 1     |
+| 4.71     | 4.71-ensure-nftables-is-not-installed.md                     | 4.71 确保nftables未安装                               | benchmarks/system-configurations    | 1     |
 | 5.1      | 5.1-ensure-selinux-is-installed.md                           | 5.1 确保SElinux工具已安装                            | benchmarks/mandatory-access-control | 1     |
 | 5.2      | 5.2-ensure-selinux-policy-is-configured.md                   | 5.2 确保SELinux调用mls策略                           | benchmarks/mandatory-access-control | 3     |
 | 5.3      | 5.3-ensure-the-selinux-mode-is-enabled.md                    | 5.3 确保SELinux不是禁用模式                          | benchmarks/mandatory-access-control | 3     |
-- 
Gitee