needs mapping/rule: SRG-OS-000480-GPOS-00227, SV-86939r1_rule, RHEL-07-040810 (firewalld must have rules)

SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 7DISADPMS TargetRed Hat 72777CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. ^M ^M If "tcpwrappers" is installed, configure the "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.

If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. ^M ^M Verify the system's access control program is configured to grant or deny system access to specific hosts.^M ^M Check to see if "firewalld" is active with the following command:^M ^M # systemctl status firewalld^M firewalld.service - firewalld - dynamic firewall daemon^M Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)^M Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago^M ^M If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:^M ^M # firewall-cmd --get-default-zone^M public^M ^M # firewall-cmd --list-all --zone=public^M public (default, active)^M interfaces: eth0^M sources:^M services: mdns ssh^M ports:^M masquerade: no^M forward-ports:^M icmp-blocks:^M rich rules:^M rule family="ipv4" source address="92.188.21.1/24" accept^M rule family="ipv4" source address="211.17.142.46/32" accept^M ^M If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:^M ^M # ls -al /etc/hosts.allow^M rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow^M ^M # ls -al /etc/hosts.deny^M -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny^M ^M If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.^M If "firewalld" is active and is not configured to grant access to specific hosts and "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.

ComplianceAsCode / content

needs mapping/rule: SRG-OS-000480-GPOS-00227, SV-86939r1_rule, RHEL-07-040810 (firewalld must have rules) #1860