AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

An XCCDF Rule

Description

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.

ID: SV-219057r991589_rule
Version: AIX7-00-003143
Severity: Medium
References: CCI-000366 CCI-002080
Updated: 3 days ago

Remediation Templates

From the command prompt, run the following commands to create and activate "ipsec_v4" and "ipsec_v6" devices:
# mkdev -l ipsec -t 4
# mkdev -l ipsec -t 6

From the command prompt, run the following commands to change the "all traffic" rules to block all packages:
# chfilt -a D -v 4 -n 0# chfilt -a D -v 6 -n 0

Assume that the local host has IP address 10.10.10.10 and the remote host has IP address 11.11.11.11, run the following command to generate a user-defined filter rule that allow all IPv4 traffic between these 2 hosts:
# genfilt -w B -v 4 -s 10.10.10.10 -p 0 -P 0 -o any -O any -m 255.255.255.255 -M 255.255.255.255 -i all -g Y -d 11.11.11.11 -c all -a P

From the command prompt, run the following command to activate all the filter rules in the rule database:
# mkfilt -u

AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

Description

Remediation Templates

A Manual Procedure