UCF STIG Viewer Logo

The system's local firewall must implement a deny-all, allow-by-exception policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22583 GEN008540 SV-26977r1_rule ECSC-1 Medium
Description
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2018-09-14

Details

Check Text ( C-36794r2_chk )
Check the firewall rules for a default deny rule.
# ipfstat -i | sed -e 's/^[ \t]*//' | tr '\011' ' ' | tr -s ' ' | grep -v "^#" | grep "block"

An example of a default deny rule:
block in log quick on ne3 from any to any

If there is no default deny rule, this is a finding.
Fix Text (F-32172r1_fix)
Edit /etc/opt/ipf/ipf.conf and add a default deny rule and restart the ipfilter service.
# /sbin/init.d/ipfboot stop
# /sbin/init.d/ipfboot start