{"description": "Check the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following\ncommand:\n<pre>$ sudo ufw show raw\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT (policy ACCEPT 1 packets, 40 bytes)\npkts bytes target prot opt in out source destination\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\npkts bytes target prot opt in out source destination\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\npkts bytes target prot opt in out source destination</pre>\n\nAsk the System Administrator for the site or program PPSM CLSA. Verify\nthe services allowed by the firewall match the PPSM CLSA.", "rationale": "To prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types\nwithin data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\nOperating systems are capable of providing a wide variety of functions\nand services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services\nfrom a single component (e.g., VPN and IPS); however, doing so\nincreases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols,\nand/or services to only those required, authorized, and approved to\nconduct official business or to address authorized quality of life\nissues.", "severity": "medium", "references": {"srg": ["SRG-OS-000096-GPOS-00050"], "stigid": ["UBTU-22-251030"], "stigref": ["SV-260518r958480_rule"]}, "control_references": {"stigid": ["UBTU-22-251030"]}, "components": [], "identifiers": {}, "ocil_clause": "unauthorized network services can be accessed from the network", "ocil": "Check the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following\ncommand:\n<pre>$ sudo ufw show raw</pre>\n\nAsk the System Administrator for the site or program PPSM CLSA. Verify\nthe services allowed by the firewall match the PPSM CLSA.\n\nAdd all ports, protocols, or services allowed by the PPSM CLSA by using\nthe following command:\n<pre>$ sudo ufw allow \"direction\" \"port/protocol/service\"</pre>\nwhere the direction is \"in\" or \"out\" and the port is the one\ncorresponding to the protocol or service allowed.\n\nTo deny access to ports, protocols, or services, use:\n<pre>$ sudo ufw deny \"direction\" \"port/protocol/service\"</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Only Allow Authorized Network Services in ufw", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ufw/ufw_only_required_services/rule.yml", "template": null}