folliehiyuki
/
sysconfig
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Some updates 

- auditd: migrate rules using deprecated syntax (`-w`, `-p` and `-k`).
  Also clean them up.
- nftables: remove the usage of nexthdr for matching ipv6 packets. Also
  allow DHCP client traffic, IGMP and multicast DNS.
This commit is contained in:
Hoang Nguyen 2024-01-20 00:00:00 +07:00
parent 4040b1dcf4
commit 51a5a5a5b7
Signed by: folliehiyuki
GPG Key ID: B0567C20730E9B11
5 changed files with 126 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO.md
View File

@ -20,7 +20,7 @@ Stuff that are planned to be added/changed.
## Cosmetic
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook (need <https://github.com/digitalocean/go-libvirt/issues/171> implemented first)
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook
## Just in case I forget

1
requirements/accepted_variables.yml
View File

@ -53,6 +53,7 @@ crond_provider:
syslog_provider:
- busybox
- logbookd
- rsyslog
- sysklogd

209
roles/auditd/templates/audit.rules.j2
View File

@ -23,24 +23,24 @@
## Audit the audit logs
### Successful and unsuccessful attempts to read information from the audit records
-w /var/log/audit/ -p wra -k auditlog
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=wra -F key=auditlog
## Auditd configuration
### Modifications to audit configuration that occur while the audit collection functions are operating
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-a always,exit -F arch=b64 -F dir=/etc/audit/ -F perm=wa -F key=auditconfig
-a always,exit -F arch=b64 -F path=/etc/libaudit.conf -F perm=wa -F key=auditconfig
## Monitor for use of audit management tools
-w /usr/sbin/auditctl -p x -k audittools
-w /usr/sbin/auditd -p x -k audittools
-w /usr/sbin/augenrules -p x -k audittools
-a always,exit -F arch=b64 -F path=/usr/sbin/auditctl -F perm=x -F key=audittools
-a always,exit -F arch=b64 -F path=/usr/sbin/auditd -F perm=x -F key=audittools
-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
## Access to all audit trails
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -k auditlog_local_access
-a always,exit -F path=/usr/sbin/aureport -F perm=x -k auditlog_local_access
-a always,exit -F path=/usr/bin/aulast -F perm=x -k auditlog_local_access
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -k auditlog_local_access
-a always,exit -F path=/usr/bin/auvirt -F perm=x -k auditlog_local_access
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
# Filters ---------------------------------------------------------------------
@ -59,80 +59,78 @@
{% endif %}
## High Volume Event Filter (especially on Linux Workstations)
-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm
# Rules -----------------------------------------------------------------------
## Kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/sysctl.d -p wa -k sysctl
-a always,exit -F arch=b64 -F path=/etc/sysctl.conf -F perm=wa -F key=sysctl
-a always,exit -F arch=b64 -F dir=/etc/sysctl.d/ -F perm=wa -F key=sysctl
# Kernel module loading and unloading
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/insmod -F key=modules
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/modprobe -F key=modules
-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/rmmod -F key=modules
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -F key=modules
## Modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d -p wa -k modprobe
-a always,exit -F arch=b64 -F path=/etc/modprobe.conf -F perm=wa -F key=modprobe
-a always,exit -F arch=b64 -F dir=/etc/modprobe.d/ -F perm=wa -F key=modprobe
## KExec usage (all actions)
-a always,exit -F arch=b64 -S kexec_load -k KEXEC
-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC
## Special files
-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles
-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
## Mount operations (only attributable)
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -F key=mount
## Change swap (only attributable)
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b64 -S swapon,swapoff -F auid!=-1 -F key=swap
## Time
-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time
-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex,settimeofday,clock_settime -F key=time
### Local time zone
-w /etc/localtime -p wa -k localtime
-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
## Cron configuration & scheduled jobs
-w /etc/fcron.allow -p wa -k cron
-w /etc/fcron.deny -p wa -k cron
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/crontabs -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
-w /etc/periodic/15min/ -p wa -k cron
-w /etc/periodic/hourly/ -p wa -k cron
-w /etc/periodic/daily/ -p wa -k cron
-w /etc/periodic/weekly/ -p wa -k cron
-w /etc/periodic/monthly/ -p wa -k cron
-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
## User, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/shadow -k etcpasswd
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F key=etcpasswd
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=etcpasswd
# doas.conf file changes
-w /etc/doas.conf -p wa -k actions
-w /etc/doas.d/ -p wa -k actions
# Changes to the privilege escalation programs' configurations
-a always,exit -F arch=b64 -F path=/etc/doas.conf -F perm=wa -F key=actions
-a always,exit -F arch=b64 -F path=/etc/please.ini -F perm=wa -F key=actions
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=actions
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions
## Passwd
-w /usr/bin/passwd -p x -k passwd_modification
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F key=passwd_modification
## Tools to change group identifiers
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /usr/sbin/delgroup -p x -k user_modification
-w /usr/sbin/deluser -p x -k user_modification
-a always,exit -F arch=b64 -F path=/usr/sbin/addgroup -F perm=x -F key=group_modification
-a always,exit -F arch=b64 -F path=/usr/sbin/adduser -F perm=x -F key=user_modification
-a always,exit -F arch=b64 -F path=/usr/sbin/delgroup -F perm=x -F key=user_modification
-a always,exit -F arch=b64 -F path=/usr/sbin/deluser -F perm=x -F key=user_modification
## Login configuration and information
-w /etc/securetty -p wa -k login
-a always,exit -F arch=b64 -F path=/etc/securetty -F perm=wa -F key=login
## Network Environment
### Changes to hostname
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=network_modifications
### Successful IPv4 Connections
-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4
@ -141,68 +139,70 @@
-a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6
### Changes to other files
-w /etc/hosts -p wa -k network_modifications
-w /etc/netconfig -p wa -k network_modifications
-w /etc/network/ -p wa -k network
-a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=network_modifications
-a always,exit -F arch=b64 -F path=/etc/netconfig -F perm=wa -F key=network_modifications
-a always,exit -F arch=b64 -F dir=/etc/network/ -F perm=wa -F key=network
### Changes to issue
-w /etc/issue -p wa -k etcissue
-a always,exit -F arch=b64 -F path=/etc/issue -F perm=wa -F key=etcissue
## System startup scripts and service configurations
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/conf.d/ -p wa -k init
-a always,exit -F arch=b64 -F path=/etc/inittab -F perm=wa -F key=init
-a always,exit -F arch=b64 -F dir=/etc/init.d/ -F perm=wa -F key=init
-a always,exit -F arch=b64 -F dir=/etc/conf.d/ -F perm=wa -F key=init
## Pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/limits.d -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.d -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
-a always,exit -F arch=b64 -F dir=/etc/pam.d/ -F perm=wa -F key=pam
-a always,exit -F arch=b64 -F path=/etc/security/limits.conf -F perm=wa -F key=pam
-a always,exit -F arch=b64 -F path=/etc/security/limits.d -F perm=wa -F key=pam
-a always,exit -F arch=b64 -F path=/etc/security/pam_env.conf -F perm=wa -F key=pam
-a always,exit -F arch=b64 -F path=/etc/security/namespace.conf -F perm=wa -F key=pam
-a always,exit -F arch=b64 -F path=/etc/security/namespace.d -F perm=wa -F key=pam
-a always,exit -F arch=b64 -F path=/etc/security/namespace.init -F perm=wa -F key=pam
## Critical elements access failures
-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/etc/ -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/bin/ -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/sbin/ -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/usr/bin/ -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin/ -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/var/ -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/home/ -F success=0 -F key=unauthedfileaccess
## Process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/doas -p x -k priv_esc
-w /etc/doas.conf -p rw -k priv_esc
-w /etc/doas.d/ -p rw -k priv_esc
-a always,exit -F arch=b64 -F path=/bin/su -F perm=x -F key=priv_esc
-a always,exit -F arch=b64 -F path=/usr/bin/doas -F perm=x -F key=priv_esc
-a always,exit -F arch=b64 -F path=/usr/bin/please -F perm=x -F key=priv_esc
-a always,exit -F arch=b64 -F path=/usr/bin/pleaseedit -F perm=x -F key=priv_esc
-a always,exit -F arch=b64 -F path=/usr/bin/sudo -F perm=x -F key=priv_esc
-a always,exit -F arch=b64 -F path=/usr/bin/sudoedit -F perm=x -F key=priv_esc
## Power state
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power
-a always,exit -F arch=b64 -F path=/sbin/poweroff -F perm=x -F key=power
-a always,exit -F arch=b64 -F path=/sbin/reboot -F perm=x -F key=power
-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
## Session initiation information
-w /var/log/swtmp -p wa -k session
-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session
# Special Rules ---------------------------------------------------------------
## dbus-send invocation
### may indicate privilege escalation CVE-2021-3560
-w /usr/bin/dbus-send -p x -k dbus_send
-w /usr/bin/gdbus -p x -k gdubs_call
-a always,exit -F arch=b64 -F path=/usr/bin/dbus-send -F perm=x -F key=dbus_send
-a always,exit -F arch=b64 -F path=/usr/bin/gdbus -F perm=x -F key=gdubs_call
## pkexec invocation
### may indicate privilege escalation CVE-2021-4034
-w /usr/bin/pkexec -p x -k pkexec
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=pkexec
## Injection
### These rules watch for code injection by the ptrace facility.
### This could indicate someone trying to do something bad or just debugging
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b64 -S ptrace -k tracing
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register_injection
-a always,exit -F arch=b64 -S ptrace -F key=tracing
## Anonymous File Creation
### These rules watch the use of memfd_create
@ -212,24 +212,17 @@
## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -k power_abuse
-a always,exit -F dir=/home/ -F auid=0 -F auid>=1000 -F auid!=-1 -F key=power_abuse
# Socket Creations
# will catch both IPv4 and IPv6
-a always,exit -F arch=b64 -S socket -F a0=2 -k exfiltration_over_other_network_medium
-a always,exit -F arch=b64 -S socket -F a0=10 -k exfiltration_over_other_network_medium
-a always,exit -F arch=b64 -S socket -F a0=2 -F key=exfiltration_over_other_network_medium
-a always,exit -F arch=b64 -S socket -F a0=10 -F key=exfiltration_over_other_network_medium
# Software Management ---------------------------------------------------------
-w /usr/bin/flatpak -p x -k software_mgmt
-w /sbin/apk -p x -k software_mgmt
-w /etc/apk/ -p wa -k software_mgmt
# Special Software ------------------------------------------------------------
## Virtualization stuff
-w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
-w /usr/bin/qemu-img -p x -k qemu-img
-w /usr/bin/virt-manager -p x -k virt-manager
-a always,exit -F arch=b64 -F path=/usr/bin/flatpak -F perm=x -F key=software_mgmt
-a always,exit -F arch=b64 -F path=/sbin/apk -F perm=x -F key=software_mgmt
-a always,exit -F arch=b64 -F dir=/etc/apk/ -F perm=wa -F key=software_mgmt
# High Volume Events ----------------------------------------------------------
@ -237,23 +230,23 @@
## File Access
### Unauthorized Access (unsuccessful)
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=file_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=file_access
### Unsuccessful Creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=file_creation
### Unsuccessful Modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -F key=file_modification
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -F key=file_modification
## 32bit API Exploitation
### If you are on a 64 bit platform, everything _should_ be running
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
### because this might be a sign of someone exploiting a hole in the 32
### bit API.
-a always,exit -F arch=b32 -S all -k 32bit_api
-a always,exit -F arch=b32 -S all -F key=32bit_api
# Make The Configuration Immutable --------------------------------------------

2
roles/libvirt/tasks/main.yml
View File

@ -1,7 +1,7 @@
---
- name: libvirt | Install libvirt and qemu
community.general.apk:
name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-system-arm, qemu-system-aarch64, qemu-modules
state: present
# This is for PulseAudio

32
roles/nftables/templates/nftables.j2
View File

@ -76,7 +76,12 @@ table inet filter {
iif != lo ip6 daddr ::1/128 drop \
comment "Block spoofing as localhost (IPv6)"
# Allow stuff first before the dynamic blacklisting
udp dport mdns ip daddr 224.0.0.251 accept \
comment "Accept mDNS"
udp dport mdns ip6 daddr ff02::fb accept \
comment "Accept mDNS"
jump input_dhcp_client
jump input_icmp
# Blacklisting should be done before stateful accept rules
@ -120,8 +125,17 @@ table inet filter {
type filter hook output priority 0; policy accept;
}
chain input_dhcp_client {
udp sport 67 udp dport 68 accept \
comment "Accept DHCP client input traffic"
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
}
chain input_icmp {
# ICMPv4
ip protocol igmp accept \
comment "Accept IGMP"
ip protocol icmp icmp type {
echo-reply, # type 0
@ -132,9 +146,7 @@ table inet filter {
} limit rate 10/second burst 4 packets accept \
comment "Accept ICMP"
# ICMPv6
ip6 nexthdr icmpv6 icmpv6 type {
icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
@ -144,7 +156,7 @@ table inet filter {
} limit rate 10/second burst 4 packets accept \
comment "Accept basic IPv6 functionality"
ip6 nexthdr icmpv6 icmpv6 type {
icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
@ -152,15 +164,15 @@ table inet filter {
} ip6 hoplimit 255 accept \
comment "Allow IPv6 SLAAC"
ip6 nexthdr icmpv6 icmpv6 type {
icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept \
comment "Allow IPv6 multicast listener discovery on link-local"
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
}
}
# The state of stateful objects saved on the nftables service stop.
include "/var/lib/nftables/*.nft"