{"description": "A default deny policy on connections ensures that any unconfigured\nnetwork usage will be rejected.\n\nNote: Any port or protocol without a explicit allow before the default\ndeny will be blocked.", "rationale": "With a default accept policy the firewall will accept any packet that\nis not configured to be denied. It is easier to allow acceptable\nusage than to block unacceptable usage.", "severity": "medium", "references": {"cis": ["4.1.7"]}, "control_references": {"cis": ["4.1.7"]}, "components": [], "identifiers": {}, "ocil_clause": "the default policy for the incoming, outgoing and routed is not set to deny,\nreject or disabled", "ocil": "Run the following command and verify that the default policy for incoming,\noutgoing, and routed directions is deny, reject, or disabled:\n<pre># ufw status verbose | grep Default:</pre>\nExample output:\n<pre>Default: deny (incoming), deny (outgoing), disabled (routed)</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Changing firewall settings while connected over network can\nresult in being locked out of the system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[ufw]", "platforms": ["package[ufw]"], "sce_metadata": {"platform": ["multi_platform_ubuntu"], "check-import": "stdout", "environment": "any", "filename": "set_ufw_default_rule.sh", "relative_path": "ubuntu2204/checks/sce/set_ufw_default_rule.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_ufw"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure ufw Default Deny Firewall Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ufw/set_ufw_default_rule/rule.yml", "template": null}