Detections
Analytics
ALMA-09-018830 - AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Information
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data.AlmaLinux OS 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.
Solution
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception.Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed for example, run the following command:
$ firewall-cmd --permanent --add-service=ssh --zone=drop
Set the default zone to the "drop" zone:
$ firewall-cmd --set-default-zone=drop
Note: This is a runtime and a permanent change.
Add any interfaces to the newly modified "drop" zone:
$ firewall-cmd --permanent --zone=drop --change-interface=enp1s0
Reload the firewall rules for changes to take effect:
$ firewall-cmd --reload
Check zones and interfaces:
$ firewall-cmd --get-active-zones
drop
interfaces: enp1s0
Check new default zone's target is set to "DROP":
$ firewall-cmd --permanent --info-zone=drop | grep target
target: DROP
The same outcome is achieved by creating a new zone, for example:
$ firewall-cmd --permanent --new-zone=stig
$ firewall-cmd --reload
$ firewall-cmd --permanent --change-interface=enp1s0 --zone=stig
$ firewall-cmd --permanent --add-service=ssh --zone=stig
$ firewall-cmd --permanent --set-target=DROP --zone=stig
$ firewall-cmd --set-default-zone=stig
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CL_AlmaLinux_OS_9_V1R6_STIG.zip
Item Details
Audit Name: DISA Cloud Linux AlmaLinux OS 9 STIG v1r6
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-269246r1050780_rule, STIG-ID|ALMA-09-018830, Vuln-ID|V-269246
Plugin: Unix
Control ID: 44cbe16b754d543212b7c6af694a5c126a2267c18fa3f075ce60df9a286f83cd