From c3c6767e70b59cbffbe28b380513fecfa57cb56b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rgen=20Uhr?= <jorgen.uhr@sitevision.se>
Date: Tue, 11 Nov 2025 07:44:45 +0100
Subject: [PATCH 1/2] #14093 - script for checking iptable rules
 (xccdf_org.ssgproject.content_rule_set_loopback_traffic)

---
 .../set_loopback_traffic/sce/shared.sh        | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh
index fa706ecd08fc..3cbdf7122138 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh
@@ -1,17 +1,28 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # platform = multi_platform_sle,multi_platform_ubuntu
 # check-import = stdout
 
-regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+lo\s+\*\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+--\s+\*\s+\*\s+127\.0\.0\.0\/8\s+0\.0\.0\.0\/0"
+# Check that iptables exist in current path
+if ! command -v iptables >/dev/null; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
+
+# Get current rules
+rules=$(iptables -S)
+
+# Check for "-A INPUT -i lo -j ACCEPT"
+if [[ ! "$rules" =~ "-A INPUT -i lo -j ACCEPT" ]]; then
+    exit "$XCCDF_RESULT_FAIL"
+fi
 
-# Check chain INPUT for loopback related rules
-if ! iptables -L INPUT -v -n -x | grep -Ezq "$regex" ; then
+# Check for "-A OUTPUT -o lo -j ACCEPT"
+if [[ ! "$rules" =~ "-A OUTPUT -o lo -j ACCEPT" ]]; then
     exit "$XCCDF_RESULT_FAIL"
 fi
 
-# Check chain OUTPUT for loopback related rules
-if ! iptables -L OUTPUT -v -n -x | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+\*\s+lo\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0" ; then
+# Check for "-A INPUT -s 127.0.0.0/8 -j DROP"
+if [[ ! "$rules" =~ "-A INPUT -s 127.0.0.0/8 -j DROP" ]]; then
     exit "$XCCDF_RESULT_FAIL"
 fi
 
-exit "$XCCDF_RESULT_PASS"
+exit "$XCCDF_RESULT_PASS"
\ No newline at end of file

From a1ac6cfca34a52ce77b72845f3cecaf9813debc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rgen=20Uhr?= <jorgen.uhr@sitevision.se>
Date: Thu, 13 Nov 2025 13:00:30 +0100
Subject: [PATCH 2/2] fixed EOF

---
 .../iptables_activation/set_loopback_traffic/sce/shared.sh     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh
index 3cbdf7122138..bf05361e943d 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/sce/shared.sh
@@ -25,4 +25,5 @@ if [[ ! "$rules" =~ "-A INPUT -s 127.0.0.0/8 -j DROP" ]]; then
     exit "$XCCDF_RESULT_FAIL"
 fi
 
-exit "$XCCDF_RESULT_PASS"
\ No newline at end of file
+exit "$XCCDF_RESULT_PASS"
+