[FIRE-4508] Incorrect iptables policy parsing #1665
Description
Describe the bug
Lynis test FIRE-4508 incorrectly assigns hardening points based on the ACCEPT target found in appended rules (-A INPUT -j ACCEPT), treating them as default policies. This misinterpretation leads to inaccurate scoring, especially when the default policy is DROP.
Version
- Distribution [Arch Linux]
- Lynis version [3.1.5]
Expected behavior
Lynis should only assign hardening points for the default policy set with -P INPUT DROP and ignore ACCEPT targets in appended rules when evaluating the default policy.
Output
2025-09-28 17:27:27 Performing test ID FIRE-4508 (Check used policies of iptables chains)
2025-09-28 17:27:27 Info: sorting output
2025-09-28 17:27:27 Result: Found target 'ACCEPT' for chain 'INPUT' (table: filter)
2025-09-28 17:27:27 Hardening: assigned partial number of hardening points (1 of 3). Currently having 148 points (out of 171)
2025-09-28 17:27:27 Result: Found target 'DROP' for chain 'INPUT' (table: filter)
2025-09-28 17:27:27 Hardening: assigned maximum number of hardening points for this item (3). Currently having 151 points (out of 174)
2025-09-28 17:27:27 Info: sorting output
2025-09-28 17:27:27 Result: Found target 'ACCEPT' for chain 'INPUT' (table: security)
2025-09-28 17:27:27 Hardening: assigned partial number of hardening points (1 of 3). Currently having 148 points (out of 171)
2025-09-28 17:27:27 ====
Additional context
>>> sudo iptables -t filter --list-rules
-P INPUT DROP
...
-A INPUT -j LOG --log-prefix "\'[log=Iip4]\'" --log-level 6
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state ! --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
...