Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-248839 | OL08-00-040090 | SV-248839r780083_rule | Medium |
Description |
---|
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. OL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used in a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. |
STIG | Date |
---|---|
Oracle Linux 8 Security Technical Implementation Guide | 2021-07-21 |
Check Text ( C-52273r780081_chk ) |
---|
Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: $ sudo firewall-cmd --state running $ sudo firewall-cmd --get-active-zones [custom] interfaces: ens33 $ sudo firewall-cmd --info-zone=[custom] | grep target target: DROP If no zones are active on the OL 8 interfaces or if the target is set to an option other than "DROP", this is a finding. |
Fix Text (F-52227r780082_fix) |
---|
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception policy with the following commands: $ sudo firewall-cmd --permanent --new-zone=[custom] $ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality. $ sudo firewall-cmd --reload $ sudo firewall-cmd --set-default-zone=[custom] Note: This is a runtime and permanent change. |