Navigate

Check: SRG-OS-000480-GPOS-00231

General Purpose Operating System SRG: SRG-OS-000480-GPOS-00231 (in versions v1 r5 through v1 r5)

Title

The operating system must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. (Cat II impact)

Discussion

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.

Check Content

Verify the operating system employs a deny-all, allow-by-exception firewall policy for allowing connections to other systems. If it does not, this is a finding.

Fix Text

Configure the operating system to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

Additional Identifiers

Rule ID: SV-70841r1_rule

Vulnerability ID: V-56581

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	Implement the security configuration settings.
CCI-002080	The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CA-3(5)	Restrictions On External System Connections
CM-6	Configuration Settings