Check: UBTU-16-030050
Canonical Ubuntu STIG:
UBTU-16-030050
(in version v1 r2)
Title
An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. (Cat II impact)
Discussion
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. Satisfies: SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00231
Check Content
Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Check the Uncomplicated Firewall configuration with the following command: # sudo ufw status Status: active To Action From -- ------ ---- [ 1] 22 LIMIT IN Anywhere If any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Fix Text
Configure the Uncomplicated Firewall to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Remove any service that is not needed or documented by the organization with the following command (replace [NUMBER] with the rule number): # sudo ufw delete [NUMBER] Another option would be to set the Uncomplicated Firewall back to default with the following commands: # sudo ufw default deny incoming # sudo ufw default allow outgoing Note: UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
Additional Identifiers
Rule ID: SV-90487r2_rule
Vulnerability ID: V-75807
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-002080 |
The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
| CCI-002314 |
The information system controls remote access methods. |