4.1.2 Ensure a single firewall configuration utility is in use

Information

In Linux security, employing a single, effective firewall configuration utility is crucial. Firewalls act as digital gatekeepers by filtering network traffic based on rules. Proper firewall configurations ensure that only legitimate traffic gets processed, reducing the systems exposure to potential threats. The choice between FirewallD and NFTables depends on organizational specific needs:

FirewallD - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

NFTables - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel.

Notes:

- firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option.
- In order to configure firewall rules for nftables, a firewall utility needs to be installed and active of the system. The use of more than one firewall utility may produce unexpected results.
- Allow port 22(ssh) needs to be updated to only allow systems requiring ssh connectivity to connect, as per site policy.

Proper configuration of a single firewall utility minimizes cyber threats and protects services and data, while avoiding vulnerabilities like open ports or exposed services. Standardizing on a single tool simplifies management, reduces errors, and fortifies security across Linux systems.

Solution

Run the following script to ensure that a single firewall utility is in use on the system:

#!/usr/bin/env bash

{
l_fwd_status="" l_nft_status="" l_fwutil_status=""
# Determine FirewallD utility Status
rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
# Determine NFTables utility Status
rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
l_fwutil_status="$l_fwd_status:$l_nft_status"
case $l_fwutil_status in
enabled:active:masked:inactive|enabled:active:disabled:inactive)
echo -e "
- FirewallD utility is in use, enabled and active
- NFTables utility is correctly disabled or masked and inactive
- no remediation required" ;;
masked:inactive:enabled:active|disabled:inactive:enabled:active)
echo -e "
- NFTables utility is in use, enabled and active
- FirewallD utility is correctly disabled or masked and inactive
- no remediation required" ;;
enabled:active:enabled:active)
echo -e "
- Both FirewallD and NFTables utilities are enabled and active
- stopping and masking NFTables utility"
systemctl stop nftables && systemctl --now mask nftables ;;
enabled:*:enabled:*)
echo -e "
- Both FirewallD and NFTables utilities are enabled
- remediating"
if [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "active" ] &amp;&amp; [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "inactive" ]; then
echo " - masking NFTables utility"
systemctl stop nftables &amp;&amp; systemctl --now mask nftables
elif [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "active" ] &amp;&amp; [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "inactive" ]; then
echo " - masking FirewallD utility"
systemctl stop firewalld &amp;&amp; systemctl --now mask firewalld
fi ;;
*:active:*:active)
echo -e "
- Both FirewallD and NFTables utilities are active
- remediating"
if [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" = "enabled" ] &amp;&amp; [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" != "enabled" ]; then
echo " - stopping and masking NFTables utility"
systemctl stop nftables &amp;&amp; systemctl --now mask nftables
elif [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" = "enabled" ] &amp;&amp; [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" != "enabled" ]; then
echo " - stopping and masking FirewallD utility"
systemctl stop firewalld &amp;&amp; systemctl --now mask firewalld
fi ;;
:enabled:active)
echo -e "
- NFTables utility is in use, enabled, and active
- FirewallD package is not installed
- no remediation required" ;;
:)
echo -e "
- Neither FirewallD or NFTables is installed.
- remediating
- installing NFTables"
echo -e "
- Configure only ONE firewall either NFTables OR Firewalld and follow the according subsection to complete this remediation process"
dnf -q install nftables ;;
*:*:)
echo -e "
- NFTables package is not installed on the system
- remediating
- installing NFTables"
echo -e "
- Configure only ONE firewall either NFTables OR Firewalld and follow the according subsection to complete this remediation process"
dnf -q install nftables ;;
*)
echo -e "
- Unable to determine firewall state"
echo -e "
- MANUAL REMEDIATION REQUIRED: Configure only ONE firewall either NFTables OR Firewalld" ;;
esac
}

See Also

https://workbench.cisecurity.org/benchmarks/18211

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 6d38866471be2df7ba3aa3d2a54a64073e152bbc77b3d30b5e643143022914b5