Check: UBTU-16-030050
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-030050
(in versions v2 r3 through v1 r3)
Title
An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. (Cat II impact)
Discussion
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. Satisfies: SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00231
Check Content
Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Check the Uncomplicated Firewall configuration with the following command: # sudo ufw status Status: active To Action From -- ------ ---- [ 1] 22 LIMIT IN Anywhere If any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Fix Text
Configure the Uncomplicated Firewall to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Remove any service that is not needed or documented by the organization with the following command (replace [NUMBER] with the rule number): # sudo ufw delete [NUMBER] Another option would be to set the Uncomplicated Firewall back to default with the following commands: # sudo ufw default deny incoming # sudo ufw default allow outgoing Note: UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
Additional Identifiers
Rule ID: SV-215113r610931_rule
Vulnerability ID: V-215113
Group Title: SRG-OS-000297-GPOS-00115
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-002080 |
The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
CCI-002314 |
The information system controls remote access methods. |