UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system's local firewall must implement a deny-all, allow-by-exception policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22583 GEN008540 SV-26976r2_rule Medium
Description
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.
STIG Date
Solaris 10 SPARC Security Technical Implementation Guide 2020-02-26

Details

Check Text ( C-40649r2_chk )
If the system is not a global zone, this vulnerability is not applicable.

Check the firewall rules for a default deny rule.
# ipfstat -i

An example of a default deny rule is:
block in log quick on ne3 from any to any.

If there is no default deny rule, this is a finding.
Fix Text (F-24238r2_fix)
Edit /etc/ipf/ipf.conf and add a default deny rule.
Restart the ipfilter service.
# svcadm restart network/ipfilter