Verify firewalld service disabled
An XCCDF Rule
Description
Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with
support for network/firewall “zones” to assign a level of trust to a network and its
associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet
bridges and also for IPSet firewall settings. There is a separation of the runtime and
permanent configuration options.
The firewalld service can be disabled with the following command:
$ sudo systemctl mask --now firewalld.service
Rationale
Running Firewalld along other service with the same functionality may lead to conflict and unexpected results.
- ID
- xccdf_org.ssgproject.content_rule_service_firewalld_disabled
- Severity
- Medium
- References
- Updated
Remediation - Puppet
include disable_firewalld
class disable_firewalld {
service {'firewalld':
enable => false,
ensure => 'stopped',
Remediation - OS Build Blueprint
[customizations.services]
masked = ["firewalld"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default && { rpm --quiet -q firewalld; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'firewalld.service'
"$SYSTEMCTL_EXEC" disable 'firewalld.service'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-92472-0
- disable_strategy