Configure Firewalld to Trust Loopback Traffic

An XCCDF Rule

Description

Assign loopback interface to the firewalld trusted zone in order to explicitly allow the loopback traffic in the system. To configure firewalld to trust loopback traffic, run the following command:

sudo firewall-cmd --permanent --zone=trusted --add-interface=lo

To ensure firewalld settings are applied in runtime, run the following command:

firewall-cmd --reload

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

ID: xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
Severity: Medium
References: 1.4 1.4.1

3.4.2.2
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSSv4-1.4
  - PCI-DSSv4-1.4.1  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is
    Installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - firewalld
  when: '"kernel" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-1.4
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Collect Facts About System
    Services
  ansible.builtin.service_facts: null
  register: result_services_states
  when: '"kernel" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-1.4
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable
    if firewalld Service is Running
  block:

  - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted
      Zone Includes lo Interface
    ansible.builtin.command:
      cmd: firewall-cmd --permanent --zone=trusted --add-interface=lo
    register: result_lo_interface_assignment
    changed_when:
    - '''ALREADY_ENABLED'' not in result_lo_interface_assignment.stderr'

  - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Changes
      are Applied
    ansible.builtin.service:
      name: firewalld
      state: reloaded
    when:
    - result_lo_interface_assignment is changed
  when:
  - '"kernel" in ansible_facts.packages'
  - ansible_facts.services['firewalld.service'].state == 'running'
  tags:
  - PCI-DSSv4-1.4
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based
    on Service State
  ansible.builtin.assert:
    that:
    - ansible_facts.services['firewalld.service'].state == 'running'
    fail_msg:
    - firewalld service is not active. Remediation aborted!
    - This remediation could not be applied because it depends on firewalld service
      running.
    - The service is not started by this remediation in order to prevent connection
      issues.
    success_msg:
    - Configure Firewalld to Trust Loopback Traffic remediation successfully executed
  when: '"kernel" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-1.4
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if ! rpm -q --quiet "firewalld" ; then
    yum install -y "firewalld"
fi
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
    firewall-offline-cmd --zone=trusted --add-interface=lo
elif systemctl is-active firewalld; then
    firewall-cmd --permanent --zone=trusted --add-interface=lo
    firewall-cmd --reload
else
    echo "
    firewalld service is not active. Remediation aborted!
    This remediation could not be applied because it depends on firewalld service running.
    The service is not started by this remediation in order to prevent connection issues."
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Firewalld to Trust Loopback Traffic

Description

Rationale

Remediation - Ansible

Remediation - Shell Script