Detections
Analytics

4.2.2 Ensure firewalld loopback traffic is configured

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following script to implement the loopback rules:

#!/usr/bin/env bash

{ l_hbfw=""
 if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
 echo -e "
 - FirewallD is in use on the system" && l_hbfw="fwd"
 elif systemctl is-enabled nftables.service 2>/dev/null | grep -q 'enabled'; then
 echo -e "
 - nftables is in use on the system
- Recommendation is NA
- Remediation Complete" && l_hbfw="nft"
 fi
 if [ "$l_hbfw" = "fwd" ]; then
 l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hooks+inputs+/,/}s*(#.*)?$/' | grep -P -- 'iph+saddr')"
 if ! nft list ruleset | awk '/hooks+inputs+/,/}s*(#.*)?$/' | grep -Pq -- 'H+h+"lo"h+accept'; then
 echo -e "
 - Enabling input to accept for loopback address"
 firewall-cmd --permanent --zone=trusted --add-interface=lo
 firewall-cmd --reload
 else
 echo -e "
 - firewalld input correctly set to accept for loopback address"
 if ! grep -Pq -- 'iph+saddrh+127.0.0.0/8h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ipsaddr" &amp;&amp; ! grep -Pq -- 'iph+daddrh+!=h+127.0.0.1h+iph+saddrh+127.0.0.1h+drop' <<< "$l_ipsaddr"; then
 echo -e "
 - Setting IPv4 network traffic from loopback address to drop"
 firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
 firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
 firewall-cmd --reload
 else
 echo -e "
 - firewalld correctly set IPv4 network traffic from loopback address to drop"
 fi
 if grep -Pq -- '^h*0h*$' /sys/module/ipv6/parameters/disable; then
 l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
 if ! grep -Pq 'ip6h+saddrh+::1h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ip6saddr" &amp;&amp; ! grep -Pq -- 'ip6h+daddrh+!=h+::1h+ip6h+saddrh+::1h+drop' <<< "$l_ip6saddr"; then
 echo -e "
 - Setting IPv6 network traffic from loopback address to drop"
 firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
 firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
 firewall-cmd --reload
 else
 echo -e "
 - firewalld correctly set IPv6 network traffic from loopback address to drop"
 fi
 fi
 fi
 fi
}

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 5062432b39f466be70b07eabaac3197ddb1e3dd6727b1a1748173bc075f89a64