{"description": "Configure the <tt>firewalld</tt> ports to allow approved services to have access to the system.\nTo configure <tt>firewalld</tt> to open ports, run the following command:\n<pre>firewall-cmd --permanent --add-port=<i>port_number/tcp</i></pre>\nTo configure <tt>firewalld</tt> to allow access for pre-defined services, run the following\ncommand:\n<pre>firewall-cmd --permanent --add-service=<i>service_name</i></pre>", "rationale": "In order to prevent unauthorized connection of devices, unauthorized transfer of information,\nor unauthorized tunneling (i.e., embedding of data types within data types), organizations must\ndisable or restrict unused or unnecessary physical and logical ports/protocols on information\nsystems.\n<br /><br />\nOperating systems are capable of providing a wide variety of functions and services.\nSome of the functions and services provided by default may not be necessary to support\nessential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by\none component.\n<br /><br />\nTo support the requirements and principles of least functionality, the operating system must\nsupport the organizational requirements, providing only essential capabilities and limiting the\nuse of ports, protocols, and/or services to only those required, authorized, and approved to\nconduct official business.", "severity": "medium", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["AC-4", "CM-7(b)", "CA-3(5)", "SC-7(21)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "srg": ["SRG-OS-000096-GPOS-00050", "SRG-OS-000297-GPOS-00115"], "ism": ["1416"], "pcidss4": ["1.3.1", "1.3"]}, "control_references": {"ism": ["1416"], "pcidss4": ["1.3.1", "1.3"]}, "components": [], "identifiers": {}, "ocil_clause": "there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured", "ocil": "Inspect the list of enabled firewall ports and verify they are configured correctly by running\nthe following command:\n\n<pre>$ sudo firewall-cmd --list-all</pre>\n\nAsk the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to allow approved settings and/or running services to comply with the PPSM Component Local Service Assessment (CLSA) for the site or program and the PPSM CAL.\n\nTo open a port for a service, configure firewalld using the following command:\n\n$ sudo firewall-cmd --permanent --add-port=port_number/tcp\nor\n$ sudo firewall-cmd --permanent --add-service=service_name", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 Must Control Remote Access Methods.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must control remote access methods.", "vuldiscussion": "To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component.\n\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business.", "checktext": "Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command:\n\n$ sudo firewall-cmd --list-all\n\nAsk the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to allow approved settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.\n\nTo open a port for a service, configure firewalld using the following command:\n\n$ sudo firewall-cmd --permanent --add-port=port_number/tcp\nor\n$ sudo firewall-cmd --permanent --add-service=service_name"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure the Firewalld Ports", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml", "template": null}