Verify firewalld Enabled

An XCCDF Rule

Description

The firewalld service can be enabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-firewalld-enable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: firewalld.service
        enabled: true

This will enable the firewalld service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

ID: xccdf_org.ssgproject.content_rule_service_firewalld_enabled
Severity: Medium
References: 11 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05

3.1.3 3.4.7

CCI-000366 CCI-000382 CCI-002314

4.3.4.3.2 4.3.4.3.3

SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4

CIP-003-8 R4 CIP-003-8 R5 CIP-004-6 R3

AC-4 CA-3(5) CM-6(a) CM-7(b) SC-7(21)

PR.IP-1

FMT_SMF_EXT.1

SRG-OS-000096-GPOS-00050 SRG-OS-000297-GPOS-00115 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00231 SRG-OS-000480-GPOS-00232

CCE-82554-7

1.2.1
Updated: about 1 year ago