Enable SSH Server firewalld Firewall Exception
An XCCDF Rule
Description
If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
remote access through SSH. In more restrictive firewalld settings, the SSH port should be
added to the proper firewalld zone in order to allow SSH remote access.
To configure firewalld
to allow ssh
access, run the following command(s):
firewall-cmd --permanent --add-service=sshThen run the following command to load the newly created rule(s):
firewall-cmd --reload
warning alert: Warning
The remediation for this rule uses
firewall-cmd
and nmcli
tools.
Therefore, it will only be executed if firewalld
and NetworkManager
services are running. Otherwise, the remediation will be aborted and a informative message
will be shown in the remediation report.
These respective services will not be started in order to preserve any intentional change
in network components related to firewall and network interfaces.warning alert: Warning
This rule also checks if the SSH port was modified by the administrator in the firewalld
services definitions and is reflecting the expected port number. Although this is checked,
fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it
is not in the scope of the remediation since there is no reliable way to manually change
the respective file. If the default SSH port is modified, it is on the administrator
responsibility to ensure the firewalld customizations in the service port level are
properly configured.
Rationale
If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone will allow remote access through the SSH port.
- ID
- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
- Severity
- Medium
- Updated
Remediation - Ansible
- name: XCCDF Value firewalld_sshd_zone # promote to variable
set_fact:
firewalld_sshd_zone: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_firewalld_sshd_zone" use="legacy"/>
tags:
- always
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "firewalld" ; then
yum install -y "firewalld"
fi