GEN008540 - The system's local firewall must implement a deny-all, allow-by-exception policy.

Information

A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.

Solution

Edit '/etc/sysconfig/iptables' and add a default deny rule.

An example of a default deny rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Restart the iptable service.
# service iptables restart

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(5), CAT|II, CCE|CCE-14264-6, CCI|CCI-001109, Group-ID|V-22583, Rule-ID|SV-37985r1_rule, STIG-ID|GEN008540, Vuln-ID|V-22583

Plugin: Unix

Control ID: b661d369288b69a91a0c2aab21a8f7b3d4d11fe4d6fb2c94ca23b084193739e5