{"description": "Services and ports can be accepted or explicitly rejected or dropped by a zone.\nFor every zone, a default behavior can be set that handles incoming traffic that\nis not further specified. Such behavior is defined by setting the target of the zone.\nThe possible options are:\n- <tt>ACCEPT</tt> - accepts all incoming packets except those disabled by a specific rule.\n- <tt>REJECT</tt> - disables all incoming packets except those that have been allowed in\n   specific rules and the source machine is informed about the rejection.\n- <tt>DROP</tt> - disables all incoming packets except those that have been allowed in\n   specific rules and no information sent to the source machine.", "rationale": "To reduce the attack surface of a system, all services and ports should be blocked unless\nrequired.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the system accepts incoming packets for unnecessary services and ports", "ocil": "To review and to ensure that listed services and ports follow site policy run the\nfollowing command:\n<pre>$ sudo firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do\nfirewall-cmd --list-all --zone=$ZN; done</pre>\nTo remove an unnecessary service, run the following command:\n<pre>$ sudo firewall-cmd --remove-service=<service></pre>\nTo remove an unnecessary port, run the following command:\n<pre>$ sudo firewall-cmd --remove-port=<port-number>/<port-type></pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[firewalld]", "platforms": ["package[firewalld]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_firewalld"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure Unnecessary Services and Ports Are Not Accepted", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml", "template": null}