Check: ENS-FW-000005
Trellix ENS 10.x STIG:
ENS-FW-000005
(in versions v2 r14 through v2 r13)
Title
(CUI) The ENS Firewall rules must allow all outbound TCP traffic. (Cat II impact)
Discussion
(CUI) Outbound connections are imperative for the operation of the Trellix Agent to communicate with the ePO server, Agent Handlers, and repositories. To ensure that connectivity is maintained, all outbound connections must be allowed with an explicit rule.
Check Content
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Security Firewall” from the Product list. From the Category list, select “Firewall Rules”. Select each configured Firewall Rules policy. Verify a rule is explicitly configured to allow all outbound TCP traffic. If a rule is not configured to explicitly allow all outbound TCP traffic, this is a finding. Note: The Trellix core networking rule named "Allow Trellix applications" also meets this requirement. This requirement is NA for the Remote Console firewall policy.
Fix Text
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Configure a rule to explicitly allow all outbound TCP traffic. Click "Save".
Additional Identifiers
Rule ID: SV-230199r944453_rule
Vulnerability ID: V-230199
Group Title: SRG-APP-000272
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001247 |
The information system automatically updates malicious code protection mechanisms. |
Controls
Number | Title |
---|---|
SI-3 (2) |
Automatic Updates |