Title

SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. (Cat II impact)

Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Additionally, operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems.

Check Content

Verify SLEM 5 "firewalld.service" is enabled and running with the following command: > systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-11-29 08:12:35 MST If the service is not enabled and active, this is a finding. Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: > sudo firewall-cmd --list-all Ask the system administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix Text

Configure SLEM 5 is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Add/modify /etc/firewalld configuration files to comply with the PPSM CAL. Enable and start the "firewalld.service" by running the following command: > sudo systemctl enable firewalld.service --now To immediately disable remote access and disconnect all current remote connections, the firewall needs to be set into panic mode. > sudo firewall-cmd --panic-on To allow remote access, panic mode needs to be disabled. > sudo firewall-cmd --panic-off

Additional Identifiers

Rule ID: SV-261310r996401_rule

Vulnerability ID: V-261310

Group Title: SRG-OS-000096-GPOS-00050

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.