An error occurred:

Check: GEN008540

SUSE Linux Enterprise Server v11 for System z STIG: GEN008540 (in versions v1 r12 through v1 r9)

Title

The systems local firewall must implement a deny-all, allow-by-exception policy. (Cat II impact)

Discussion

A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.

Check Content

Check the firewall rules for a default deny rule. # iptables --list If there is no default deny rule, this is a finding.

Fix Text

Edit “ /etc/sysconfig/scripts/SuSEfirewall2-custom” and add a default deny rule. Restart the SuSEfirewall2 service # rcSuSEfirewall2 restart

Additional Identifiers

Rule ID: SV-46060r1_rule

Vulnerability ID: V-22583

Group Title: GEN008540

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001109

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7 (5)

Deny By Default / Allow By Exception