OL 9 must be configured so that the firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271473 | OL09-00-000224 | SV-271473r1091131_rule | Medium |
| Description |
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. OL 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. |
| STIG | Date |
| Oracle Linux 9 Security Technical Implementation Guide | 2025-05-08 |
Details
| Check Text (C-75523r1091129_chk) |
| Verify that OL 9 is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: $ sudo firewall-cmd --state running $ sudo firewall-cmd --get-active-zones public interfaces: ens33 $ sudo firewall-cmd --info-zone=public | grep target target: DROP $ sudo firewall-cmd --permanent --info-zone=public | grep target target: DROP If no zones are active on the OL 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding. |
| Fix Text (F-75430r1091130_fix) |
| Configure the firewalld daemon to employ a deny-all, allow-by-exception with the following commands: Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed, for example, run the following: "sudo firewall-cmd --permanent --add-service=ssh --zone=drop" Reload the firewall rules to update the runtime configuration from the "--permanent" changes made above: $ sudo firewall-cmd --reload Set the default zone to the drop zone: $ sudo firewall-cmd --set-default-zone=drop Note: This is a runtime and permanent change. Add any interfaces to the newly modified "drop" zone: $ sudo firewall-cmd --permanent --zone=drop --change-interface=ens33 Reload the firewall rules for changes to take effect: $ sudo firewall-cmd --reload |