STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230504r627750_rule
V-230504
SRG-OS-000297-GPOS-00115
RHEL-08-040090
CAT II
10
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:
$ sudo firewall-cmd --permanent --new-zone=[custom]
$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml
This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality.
$ sudo firewall-cmd --set-default-zone=[custom]
Note: This is a runtime and permanent change.
Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:
$ sudo firewall-cmd --state
running
$ sudo firewall-cmd --get-active-zones
[custom]
interfaces: ens33
$ sudo firewall-cmd --info-zone=[custom] | grep target
target: DROP
If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.
V-230504
False
RHEL-08-040090
Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:
$ sudo firewall-cmd --state
running
$ sudo firewall-cmd --get-active-zones
[custom]
interfaces: ens33
$ sudo firewall-cmd --info-zone=[custom] | grep target
target: DROP
If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.
M
2921