{"description": "To verify the system's access control program is configured\nto grant or deny system access to specific hosts check to see\nif \"firewalld\" is active with the following command:\n\n<pre># systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\nLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\nActive: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago</pre>\n\nIf \"firewalld\" is active, check to see if it is configured to grant or deny\naccess to specific hosts or services with the following commands:\n\n<pre># firewall-cmd --get-default-zone\npublic\n\n# firewall-cmd --list-all --zone=public\npublic (active)\ntarget: default\nicmp-block-inversion: no\ninterfaces: eth0\nsources:\nservices: mdns ssh\nports:\nprotocols:\nmasquerade: no\nforward-ports:\nicmp-blocks:</pre>\n\nIf \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking\nwhether the \"hosts.allow\" and \"hosts.deny\" files are empty with the following commands:\n\n<pre># ls -al /etc/hosts.allow\nrw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n\n# ls -al /etc/hosts.deny\n-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny</pre>\n\nIf \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active,\nask the SA if another access control program (such as iptables) is installed\nand active.\n\nAsk the SA to show that the running configuration grants or denies access\nto specific hosts or services.\n\nIf \"firewalld\" is active and is not configured to grant access to specific\nhosts or \"tcpwrappers\" is not configured to grant or deny access to\nspecific hosts, this is a finding.", "rationale": "If the systems access control program is not configured with appropriate\nrules for allowing and denying access to system network resources,\nservices may be accessible to unauthorized hosts.", "severity": "medium", "references": {"nist": ["CM-6 b", "CM-6.1(iv)"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the system access control program is not configured", "ocil": "To verify there is a system access control program configured\nto grant or deny system access to specific hosts check to see\nif \"firewalld\" is active and the default zone is \"public\".\n\nIf \"firewalld\" is not active, determine whether \"tcpwrappers\"\nis being used by checking whether the \"hosts.allow\" and \"hosts.deny\"\nfiles are empty.\n\nIf \"firewalld\" is not active and configured, and the \"hosts.allow\" and\n\"hosts.deny\" files are empty, this is a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule checks that either firewalld or tcpwrappers are being used\nto restrict system access to some hosts and/or services. It does not\ncheck for any specific hosts/services. Make sure that the allowed\nhosts/services meet your operational needs."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[firewalld]", "platforms": ["package[firewalld]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_firewalld"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Grant Or Deny System Access To Specific Hosts And Services", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network_implement_access_control/rule.yml", "template": null}