UCF STIG Viewer Logo

An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215113 UBTU-16-030050 SV-215113r610931_rule Medium
Description
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. Satisfies: SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00231
STIG Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide 2020-12-09

Details

Check Text ( C-16312r285207_chk )
Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Check the Uncomplicated Firewall configuration with the following command:
# sudo ufw status
Status: active

To Action From
-- ------ ----
[ 1] 22 LIMIT IN Anywhere

If any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Fix Text (F-16310r285208_fix)
Configure the Uncomplicated Firewall to employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Remove any service that is not needed or documented by the organization with the following command (replace [NUMBER] with the rule number):

# sudo ufw delete [NUMBER]

Another option would be to set the Uncomplicated Firewall back to default with the following commands:

# sudo ufw default deny incoming
# sudo ufw default allow outgoing

Note: UFW’s defaults are to deny all incoming connections and allow all outgoing connections.