[FAIL] 3.4.1.1 Ensure IPv4 default deny firewall policy (Automatic) #4655

bck01215 · 2025-10-01T16:18:59Z

bck01215
Oct 1, 2025

In my terraform I have this setting


[settings.bootstrap-containers.myscript]
mode="always"
user-data="${base64encode(<<EOF
#!/bin/bash
dnf -y update
dnf -y install iptables iptables-services iptables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -p tcp -m tcp --dport 10250 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -p tcp --destination-port 10250 -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -L -v
EOF
)}"
EOF

I run apiclient report cis -l 2 all pass pass except [FAIL] 3.4.1.1 Ensure IPv4 default deny firewall policy (Automatic)

Output

[ssm-user@control]$ apiclient report cis -l 2
Benchmark name:  CIS Bottlerocket Benchmark
Version:         v1.0.0
Reference:       https://www.cisecurity.org/benchmark/bottlerocket
Benchmark level: 2
Start time:      2025-10-01T16:04:45.934241971Z

[PASS] 1.1.1.1   Ensure mounting of udf filesystems is disabled (Automatic)
[SKIP] 1.2.1     Ensure software update repositories are configured (Manual)
[PASS] 1.3.1     Ensure dm-verity is configured (Automatic)
[PASS] 1.4.1     Ensure setuid programs do not create core dumps (Automatic)
[PASS] 1.4.2     Ensure address space layout randomization (ASLR) is enabled (Automatic)
[PASS] 1.4.3     Ensure unprivileged eBPF is disabled (Automatic)
[PASS] 1.4.4     Ensure user namespaces are disabled (Automatic)
[PASS] 1.5.1     Ensure SELinux is configured (Automatic)
[PASS] 1.5.2     Ensure Lockdown is configured (Automatic)
[SKIP] 1.6       Ensure updates, patches, and additional security software are installed (Manual)
[PASS] 2.1.1.1   Ensure chrony is configured (Automatic)
[PASS] 3.1.1     Ensure packet redirect sending is disabled (Automatic)
[PASS] 3.2.1     Ensure source routed packets are not accepted (Automatic)
[PASS] 3.2.2     Ensure ICMP redirects are not accepted (Automatic)
[PASS] 3.2.3     Ensure secure ICMP redirects are not accepted (Automatic)
[PASS] 3.2.4     Ensure suspicious packets are logged (Automatic)
[PASS] 3.2.5     Ensure broadcast ICMP requests are ignored (Automatic)
[PASS] 3.2.6     Ensure bogus ICMP responses are ignored (Automatic)
[PASS] 3.2.7     Ensure TCP SYN Cookies is enabled (Automatic)
[PASS] 3.3.1     Ensure SCTP is disabled (Automatic)
[FAIL] 3.4.1.1   Ensure IPv4 default deny firewall policy (Automatic)
[PASS] 3.4.1.2   Ensure IPv4 loopback traffic is configured (Automatic)
[SKIP] 3.4.1.3   Ensure IPv4 outbound and established connections are configured (Manual)
[PASS] 3.4.2.1   Ensure IPv6 default deny firewall policy (Automatic)
[PASS] 3.4.2.2   Ensure IPv6 loopback traffic is configured (Automatic)
[SKIP] 3.4.2.3   Ensure IPv6 outbound and established connections are configured (Manual)
[PASS] 4.1.1.1   Ensure journald is configured to write logs to persistent disk (Automatic)
[PASS] 4.1.2     Ensure permissions on journal files are configured (Automatic)

Passed:          23
Failed:          1
Skipped:         4
Total checks:    28

Compliance check result: FAIL

I am using the VPC CNI.

Journal logs

[ssm-user@control]$ apiclient exec admin journalctl -D /.bottlerocket/rootfs/var/log/journal/ -u bootstrap-containers@myscript
-- Logs begin at Wed 2025-10-01 16:26:37 UTC, end at Wed 2025-10-01 16:27:42 UTC. --
Oct 01 16:26:41 ip-10-4-2-132.ec2.internal systemd[1]: Starting bootstrap container myscript...
Oct 01 16:26:41 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:41Z" level=info msg="Image does not exist, proceeding to pull image from source." ref="ecr.aws/arn:aws:ecr:us-east-1:328549459982:repository/bottlerocket-bootstrap:v0.2.5"
Oct 01 16:26:41 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:41Z" level=info msg="pulling with Amazon ECR Resolver" ref="ecr.aws/arn:aws:ecr:us-east-1:328549459982:repository/bottlerocket-bootstrap:v0.2.5"
Oct 01 16:26:43 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:43Z" level=info msg="pulled image successfully" img="ecr.aws/arn:aws:ecr:us-east-1:328549459982:repository/bottlerocket-bootstrap:v0.2.5"
Oct 01 16:26:43 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:43Z" level=info msg="unpacking image..." img="ecr.aws/arn:aws:ecr:us-east-1:328549459982:repository/bottlerocket-bootstrap:v0.2.5"
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:46Z" level=info msg="tagging image" img="328549459982.dkr.ecr.us-east-1.amazonaws.com/bottlerocket-bootstrap:v0.2.5"
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:46Z" level=info msg="Container does not exist, proceeding to create it" ctr-id=boot.myscript
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:46Z" level=info msg="container task does not exist, proceeding to create it" container-id=boot.myscript
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:46Z" level=info msg="successfully started container task"
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + declare -r HOST_CERTS=/.bottlerocket/certs
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + [[ -d /.bottlerocket/certs ]]
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + link_host_certs
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: ++ ls -1 /.bottlerocket/certs
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + for cert in $(ls -1 "${HOST_CERTS}")
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + ln -s /.bottlerocket/certs/ca-bundle.crt /etc/pki/ca-trust/source/anchors/ca-bundle.crt
Oct 01 16:26:46 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + update-ca-trust
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + USER_DATA_PATH=/.bottlerocket/bootstrap-containers/current/user-data
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + [[ -s /.bottlerocket/bootstrap-containers/current/user-data ]]
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + [[ ! -d /.bottlerocket/bootstrap-containers/current/user-data ]]
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + chmod +x /.bottlerocket/bootstrap-containers/current/user-data
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + '[' -x /.bottlerocket/bootstrap-containers/current/user-data ']'
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: + exec /.bottlerocket/bootstrap-containers/current/user-data
Oct 01 16:26:47 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Amazon Linux 2023 repository                     70 MB/s |  43 MB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Last metadata expiration check: 0:00:07 ago on Wed Oct  1 16:26:47 2025.
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Dependencies resolved.
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Nothing to do.
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Complete!
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Last metadata expiration check: 0:00:07 ago on Wed Oct  1 16:26:47 2025.
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Dependencies resolved.
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: ================================================================================
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  Package                 Arch    Version                     Repository    Size
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: ================================================================================
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Installing:
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  iptables-legacy         x86_64  1.8.8-3.amzn2023.0.2        amazonlinux   53 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  iptables-nft            x86_64  1.8.8-3.amzn2023.0.2        amazonlinux  183 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  iptables-services       noarch  1.8.8-3.amzn2023.0.2        amazonlinux   18 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Installing dependencies:
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  iptables-legacy-libs    x86_64  1.8.8-3.amzn2023.0.2        amazonlinux   40 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  iptables-libs           x86_64  1.8.8-3.amzn2023.0.2        amazonlinux  401 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  iptables-utils          x86_64  1.8.8-3.amzn2023.0.2        amazonlinux   43 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libibverbs              x86_64  48.0-1.amzn2023.0.1         amazonlinux  433 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libmnl                  x86_64  1.0.4-13.amzn2023.0.2       amazonlinux   29 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libnetfilter_conntrack  x86_64  1.0.8-2.amzn2023.0.2        amazonlinux   58 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libnfnetlink            x86_64  1.0.1-19.amzn2023.0.2       amazonlinux   30 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libnftnl                x86_64  1.2.2-2.amzn2023.0.2        amazonlinux   84 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libnl3                  x86_64  3.5.0-6.amzn2023.0.2        amazonlinux  330 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  libpcap                 x86_64  14:1.10.1-1.amzn2023.0.2    amazonlinux  173 k
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Transaction Summary
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: ================================================================================
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Install  13 Packages
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Total download size: 1.8 M
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Installed size: 5.8 M
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Downloading Packages:
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (1/13): iptables-legacy-libs-1.8.8-3.amzn2023.0 2.2 MB/s |  40 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (2/13): iptables-legacy-1.8.8-3.amzn2023.0.2.x8 2.5 MB/s |  53 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (3/13): iptables-nft-1.8.8-3.amzn2023.0.2.x86_6  16 MB/s | 183 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (4/13): iptables-services-1.8.8-3.amzn2023.0.2. 1.9 MB/s |  18 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (5/13): iptables-libs-1.8.8-3.amzn2023.0.2.x86_  12 MB/s | 401 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (6/13): iptables-utils-1.8.8-3.amzn2023.0.2.x86 6.1 MB/s |  43 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (7/13): libibverbs-48.0-1.amzn2023.0.1.x86_64.r  39 MB/s | 433 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (8/13): libmnl-1.0.4-13.amzn2023.0.2.x86_64.rpm 2.9 MB/s |  29 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (9/13): libnetfilter_conntrack-1.0.8-2.amzn2023 8.8 MB/s |  58 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (10/13): libnfnetlink-1.0.1-19.amzn2023.0.2.x86 4.5 MB/s |  30 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (11/13): libnftnl-1.2.2-2.amzn2023.0.2.x86_64.r  10 MB/s |  84 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (12/13): libnl3-3.5.0-6.amzn2023.0.2.x86_64.rpm  34 MB/s | 330 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: (13/13): libpcap-1.10.1-1.amzn2023.0.2.x86_64.r  19 MB/s | 173 kB     00:00
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: --------------------------------------------------------------------------------
Oct 01 16:26:54 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Total                                            12 MB/s | 1.8 MB     00:00
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Running transaction check
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Transaction check succeeded.
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Running transaction test
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Transaction test succeeded.
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Running transaction
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Preparing        :                                                        1/1
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libmnl-1.0.4-13.amzn2023.0.2.x86_64                   1/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libnfnetlink-1.0.1-19.amzn2023.0.2.x86_64             2/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libnetfilter_conntrack-1.0.8-2.amzn2023.0.2.x86_64    3/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libnftnl-1.2.2-2.amzn2023.0.2.x86_64                  4/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libnl3-3.5.0-6.amzn2023.0.2.x86_64                    5/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libibverbs-48.0-1.amzn2023.0.1.x86_64                 6/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : libpcap-14:1.10.1-1.amzn2023.0.2.x86_64               7/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : iptables-libs-1.8.8-3.amzn2023.0.2.x86_64             8/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : iptables-nft-1.8.8-3.amzn2023.0.2.x86_64              9/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Running scriptlet: iptables-nft-1.8.8-3.amzn2023.0.2.x86_64              9/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : iptables-utils-1.8.8-3.amzn2023.0.2.x86_64           10/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : iptables-legacy-libs-1.8.8-3.amzn2023.0.2.x86_64     11/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : iptables-legacy-1.8.8-3.amzn2023.0.2.x86_64          12/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Running scriptlet: iptables-legacy-1.8.8-3.amzn2023.0.2.x86_64          12/13
Oct 01 16:26:55 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Installing       : iptables-services-1.8.8-3.amzn2023.0.2.noarch        13/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Running scriptlet: iptables-services-1.8.8-3.amzn2023.0.2.noarch        13/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : iptables-legacy-1.8.8-3.amzn2023.0.2.x86_64           1/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : iptables-legacy-libs-1.8.8-3.amzn2023.0.2.x86_64      2/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : iptables-libs-1.8.8-3.amzn2023.0.2.x86_64             3/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : iptables-nft-1.8.8-3.amzn2023.0.2.x86_64              4/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : iptables-services-1.8.8-3.amzn2023.0.2.noarch         5/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : iptables-utils-1.8.8-3.amzn2023.0.2.x86_64            6/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libibverbs-48.0-1.amzn2023.0.1.x86_64                 7/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libmnl-1.0.4-13.amzn2023.0.2.x86_64                   8/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libnetfilter_conntrack-1.0.8-2.amzn2023.0.2.x86_64    9/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libnfnetlink-1.0.1-19.amzn2023.0.2.x86_64            10/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libnftnl-1.2.2-2.amzn2023.0.2.x86_64                 11/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libnl3-3.5.0-6.amzn2023.0.2.x86_64                   12/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   Verifying        : libpcap-14:1.10.1-1.amzn2023.0.2.x86_64              13/13
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Installed:
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   iptables-legacy-1.8.8-3.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   iptables-legacy-libs-1.8.8-3.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   iptables-libs-1.8.8-3.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   iptables-nft-1.8.8-3.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   iptables-services-1.8.8-3.amzn2023.0.2.noarch
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   iptables-utils-1.8.8-3.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libibverbs-48.0-1.amzn2023.0.1.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libmnl-1.0.4-13.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libnetfilter_conntrack-1.0.8-2.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libnfnetlink-1.0.1-19.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libnftnl-1.2.2-2.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libnl3-3.5.0-6.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:   libpcap-14:1.10.1-1.amzn2023.0.2.x86_64
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Complete!
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: cannot access /var/lib/alternatives/ip6tables: No such file or directory
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Chain INPUT (policy DROP 0 packets, 0 bytes)
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  pkts bytes target     prot opt in     out     source               destination
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:10250
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 DROP       all  --  any    any     localhost/8          anywhere
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             state ESTABLISHED
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             state ESTABLISHED
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             state ESTABLISHED
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Chain FORWARD (policy DROP 0 packets, 0 bytes)
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  pkts bytes target     prot opt in     out     source               destination
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: Chain OUTPUT (policy DROP 0 packets, 0 bytes)
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:  pkts bytes target     prot opt in     out     source               destination
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     all  --  any    lo      anywhere             anywhere
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             state NEW,ESTABLISHED
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             state NEW,ESTABLISHED
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]:     0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             state NEW,ESTABLISHED
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2460]: time="2025-10-01T16:26:59Z" level=info msg="container task exited" code=0
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2712]: 16:26:59 [INFO] bootstrap-containers started
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal bootstrap-containers@myscript[2712]: 16:26:59 [INFO] Mode for 'myscript' is 'always'
Oct 01 16:26:59 ip-10-4-2-132.ec2.internal systemd[1]: Finished bootstrap container myscript.

Any ideas on why the [FAIL] 3.4.1.1 Ensure IPv4 default deny firewall policy (Automatic) check is not passing?

vigh-m · 2025-10-01T17:19:27Z

vigh-m
Oct 1, 2025
Maintainer

Hi,

Thanks for reaching out!

We have an existing issue for this here bottlerocket-os/bottlerocket-core-kit#540 and for now this is expected behaviour. We're working on updating the benchmark in bottlerocket-os/bottlerocket-core-kit#665.

Our current recommendation is to work with an auditor to log an exception for this while we work on the update.

1 reply

bck01215 Oct 1, 2025
Author

Thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FAIL] 3.4.1.1 Ensure IPv4 default deny firewall policy (Automatic) #4655

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

[FAIL] 3.4.1.1 Ensure IPv4 default deny firewall policy (Automatic) #4655

Uh oh!

Uh oh!

bck01215 Oct 1, 2025

Replies: 1 comment · 1 reply

Uh oh!

vigh-m Oct 1, 2025 Maintainer

Uh oh!

bck01215 Oct 1, 2025 Author

bck01215
Oct 1, 2025

Replies: 1 comment 1 reply

vigh-m
Oct 1, 2025
Maintainer

bck01215 Oct 1, 2025
Author