Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

Description

Oracle Linux 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

Rationale

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of data.

ID: xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny
Severity: Medium
References: CCI-002314

AC-17 (1)

SRG-OS-000297-GPOS-00115

OL08-00-040090

SV-248839r943095_rule
Updated: about 1 year ago