From ad539693ae1d5c8c038c76c1accee5fbc22308fd Mon Sep 17 00:00:00 2001
From: Bryan Endres <42649487+bendres97@users.noreply.github.com>
Date: Thu, 16 Mar 2023 20:04:15 -0500
Subject: [PATCH] Local loopback is 127.0.0.0/8, not just 127.0.0.1

Signed-off-by: Bryan Endres <bryan@endres.io>
---
 controls/3_5_firewall_configuration.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/controls/3_5_firewall_configuration.rb b/controls/3_5_firewall_configuration.rb
index 54d5fd0..9197697 100644
--- a/controls/3_5_firewall_configuration.rb
+++ b/controls/3_5_firewall_configuration.rb
@@ -117,7 +117,7 @@
   tag cis: 'distribution-independent-linux:3.5.1.4'
   tag level: 1
 
-  port.where { address !~ /^(127\.0\.0\.1|::1)$/ }.ports.each do |port|
+  port.where { address !~ /^(127\.|::1)$/ }.ports.each do |port|
     describe "Firewall rule should exist for port #{port}" do
       subject { ip6tables.retrieve_rules.any? { |s| s =~ /\s--(dport|dports) #{port}\s/ } }
       it { should be true }
@@ -214,7 +214,7 @@
   tag cis: 'distribution-independent-linux:3.5.2.4'
   tag level: 1
 
-  port.where { address !~ /^(127\.0\.0\.1|::1)$/ }.ports.each do |port|
+  port.where { address !~ /^(127\.|::1)$/ }.ports.each do |port|
     describe "Firewall rule should exist for port #{port}" do
       subject { iptables.retrieve_rules.any? { |s| s =~ /\s--(dport|dports) #{port}\s/ } }
       it { should be true }