A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230504	RHEL-08-040090	SV-230504r627750_rule		Medium

Description
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

Description

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

STIG	Date
Red Hat Enterprise Linux 8 Security Technical Implementation Guide	2021-03-04

Details

Check Text ( C-33173r568258_chk )
Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: $ sudo firewall-cmd --state running $ sudo firewall-cmd --get-active-zones [custom] interfaces: ens33 $ sudo firewall-cmd --info-zone=[custom] \| grep target target: DROP If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.

Check Text ( C-33173r568258_chk )

Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo firewall-cmd --state

running

$ sudo firewall-cmd --get-active-zones

[custom]
interfaces: ens33

$ sudo firewall-cmd --info-zone=[custom] | grep target

target: DROP

If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.

Fix Text (F-33148r568259_fix)
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands: $ sudo firewall-cmd --permanent --new-zone=[custom] $ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality. $ sudo firewall-cmd --set-default-zone=[custom] Note: This is a runtime and permanent change.

Fix Text (F-33148r568259_fix)

Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:

$ sudo firewall-cmd --permanent --new-zone=[custom]

$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml

This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality.

$ sudo firewall-cmd --set-default-zone=[custom]

Note: This is a runtime and permanent change.