STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.

DISA Rule

SV-230525r627750_rule

Vulnerability Number

V-230525

Group Title

SRG-OS-000420-GPOS-00186

Rule Version

RHEL-08-040150

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Install "nftables" packages onto the host with the following commands:

$ sudo yum install nftables.x86_64 1:0.9.0-14.el8

Configure the "nftables" service to automatically start after reboot with the following command:

$ sudo systemctl enable nftables.service

Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf":

FirewallBackend=nftables

Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.

Check Contents

Verify "nftables" is configured to allow rate limits on any connection to the system with the following commands:

Check that the "nftables.service" is active and running:

$ sudo systemctl status nftables.service

nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (running)

Verify "firewalld" has "nftables" set as the default backend:

$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf

# FirewallBackend
FirewallBackend=nftables

If the "nftables" is not active, running and set as the "firewallbackend" default, this is a finding.

Vulnerability Number

V-230525

Documentable

False

Rule Version

RHEL-08-040150

Severity Override Guidance

Verify "nftables" is configured to allow rate limits on any connection to the system with the following commands:

Check that the "nftables.service" is active and running:

$ sudo systemctl status nftables.service

nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (running)

Verify "firewalld" has "nftables" set as the default backend:

$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf

# FirewallBackend
FirewallBackend=nftables

If the "nftables" is not active, running and set as the "firewallbackend" default, this is a finding.

Check Content Reference

M

Target Key

2921

Comments