STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

DISA Rule

SV-230504r627750_rule

Vulnerability Number

V-230504

Group Title

SRG-OS-000297-GPOS-00115

Rule Version

RHEL-08-040090

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:

$ sudo firewall-cmd --permanent --new-zone=[custom]

$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml

This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality.

$ sudo firewall-cmd --set-default-zone=[custom]

Note: This is a runtime and permanent change.

Check Contents

Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo firewall-cmd --state

running

$ sudo firewall-cmd --get-active-zones

[custom]
interfaces: ens33

$ sudo firewall-cmd --info-zone=[custom] | grep target

target: DROP

If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.

Vulnerability Number

V-230504

Documentable

False

Rule Version

RHEL-08-040090

Severity Override Guidance

Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo firewall-cmd --state

running

$ sudo firewall-cmd --get-active-zones

[custom]
interfaces: ens33

$ sudo firewall-cmd --info-zone=[custom] | grep target

target: DROP

If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.

Check Content Reference

M

Target Key

2921

Comments