Verify firewalld Enabled

An XCCDF Rule

Description

The firewalld service can be enabled with the following command:

$ sudo systemctl enable firewalld.service

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

ID: xccdf_org.ssgproject.content_rule_service_firewalld_enabled
Severity: Medium
References: 11 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05

3.1.3 3.4.7

CCI-000366 CCI-000382 CCI-002314

4.3.4.3.2 4.3.4.3.3

SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4

CIP-003-8 R4 CIP-003-8 R5 CIP-004-6 R3

AC-4 CA-3(5) CM-6(a) CM-7(b) SC-7(21)

PR.IP-1

FMT_SMF_EXT.1

SRG-OS-000096-GPOS-00050 SRG-OS-000297-GPOS-00115 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00231 SRG-OS-000480-GPOS-00232

1.2 1.2.1

3.4.1.2

SYS.1.6.A21 SYS.1.6.A5

SV-244544r958672_rule
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-08-040101
  - NIST-800-171-3.1.3  - NIST-800-171-3.4.7
  - NIST-800-53-AC-4
  - NIST-800-53-CA-3(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(21)
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.1
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_enabled
- name: Verify firewalld Enabled - Enable service firewalld
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Verify firewalld Enabled - Enable Service firewalld
    ansible.builtin.systemd:
      name: firewalld
      enabled: true
      state: started
      masked: false
    when:
    - '"firewalld" in ansible_facts.packages'
  when:
  - '"kernel" in ansible_facts.packages'
  - '"firewalld" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-08-040101
  - NIST-800-171-3.1.3
  - NIST-800-171-3.4.7
  - NIST-800-53-AC-4
  - NIST-800-53-CA-3(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(21)
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.1
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_enabled

include enable_firewalld
class enable_firewalld {
  service {'firewalld':
    enable => true,
    ensure => 'running',
  }
}

service enable firewalld

[customizations.services]
enabled = ["firewalld"]

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q firewalld; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'firewalld.service'
"$SYSTEMCTL_EXEC" start 'firewalld.service'
"$SYSTEMCTL_EXEC" enable 'firewalld.service'
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify firewalld Enabled

Description

Rationale

Remediation Templates

An Ansible Snippet

A Puppet Snippet

script:kickstart

OS Build Blueprint

A Shell Script