{"description": "The <code>SuSEfirewall2</code> package can be installed with the following command:\n<pre>\n$ apt-get install SuSEfirewall2</pre>\n\nThe <code>SuSEfirewall2</code> service can be enabled with the following command:\n<pre>$ sudo systemctl enable SuSEfirewall2.service</pre>\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following\ncommand:\n\n<pre># grep ^FW_ /etc/sysconfig/SuSEfirewall2\nFW_SERVICES_ACCEPT_EXT=\"0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh\"</pre>\n\nAsk the System Administrator for the site or program PPSM Component Local\nServices Assessment (Component Local Services Assessment (CLSA). Verify the\nservices allowed by the firewall match the PPSM CLSA. ", "rationale": "To prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types\nwithin data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\nSUSE operating systems are capable of providing a wide variety of functions\nand services. Some of the functions and services provided by default may not\nbe necessary to support essential organizational operations. Additionally,\nit is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the SUSE\noperating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols,\nand/or services to only those required, authorized, and approved to conduct\nofficial business or address authorized quality-of-life issues.", "severity": "medium", "references": {"srg": ["SRG-OS-000096-GPOS-00050", "SRG-OS-000297-GPOS-00115", "SRG-OS-000480-GPOS-00231", "SRG-OS-000480-GPOS-00232"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "unauthorized network services can be accessed from the network", "ocil": "\nRun the following command to determine if the <code>SuSEfirewall2</code> package is installed:\n<pre>$ dpkg -l  SuSEfirewall2</pre>\n\n\nRun the following command to determine the current status of the\n<code>SuSEfirewall2</code> service:\n<pre>$ sudo systemctl is-active SuSEfirewall2</pre>\nIf the service is running, it should return the following: <pre>active</pre>\n\nCheck the firewall configuration for any unnecessary or prohibited \nfunctions, ports, protocols, and/or services by running the following \ncommand:\n\n<pre># grep ^FW_ /etc/sysconfig/SuSEfirewall2\nFW_SERVICES_ACCEPT_EXT=\"0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh\"</pre>\n\nAsk the System Administrator for the site or program PPSM Component Local \nServices Assessment (Component Local Services Assessment (CLSA). Verify the     services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional ports, protocols, or services that are not \nincluded in the PPSM CLSA, this is a finding.\n\nIf there are any ports, protocols, or services that are prohibited by the \nPPSM CAL, this is a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Only Allow Authorized Network Services in SuSEfirewall2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml", "template": null}