AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

An XCCDF Rule

Description

<VulnDiscussion>Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-219057r991589_rule
Severity: Medium
References: CCI-000366 CCI-002080
Updated: 17 days ago

From the command prompt, run the following commands to create and activate "ipsec_v4" and "ipsec_v6" devices:
# mkdev -l ipsec -t 4
# mkdev -l ipsec -t 6

From the command prompt, run the following commands to change the "all traffic" rules to block all packages:
# chfilt -a D -v 4 -n 0# chfilt -a D -v 6 -n 0

Assume that the local host has IP address 10.10.10.10 and the remote host has IP address 11.11.11.11, run the following command to generate a user-defined filter rule that allow all IPv4 traffic between these 2 hosts:
# genfilt -w B -v 4 -s 10.10.10.10 -p 0 -P 0 -o any -O any -m 255.255.255.255 -M 255.255.255.255 -i all -g Y -d 11.11.11.11 -c all -a P

From the command prompt, run the following command to activate all the filter rules in the rule database:
# mkfilt -u

AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

Description

Remediation - Manual Procedure