{"description": "To set the default zone to <tt>drop</tt> for\nthe built-in default zone which processes incoming IPv4 and IPv6 packets,\nmodify the following line in\n<tt>/etc/firewalld/firewalld.conf</tt> to be:\n<pre>DefaultZone=drop</pre>", "rationale": "In <tt>firewalld</tt> the default zone is applied only after all\nthe applicable rules in the table are examined for a match. Setting the\ndefault zone to <tt>drop</tt> implements proper design for a firewall, i.e.\nany packets which are not explicitly permitted should not be\naccepted.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cjis": ["5.10.1"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "cui": ["3.1.3", "3.4.7", "3.13.6"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CA-3(5)", "CM-7(b)", "SC-7(23)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"], "pcidss": ["Req-1.4"], "srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["1416"], "pcidss4": ["1.3.1", "1.3"]}, "control_references": {"ism": ["1416"], "pcidss4": ["1.3.1", "1.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the default zone is not set to DROP", "ocil": "Inspect the file <tt>/etc/firewalld/firewalld.conf</tt> to determine\nthe default zone for the <tt>firewalld</tt>. It should be set to <tt>DefaultZone=drop</tt>:\n<pre>$ sudo grep DefaultZone /etc/firewalld/firewalld.conf</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "To prevent denying any access to the system, automatic remediation\nof this control is not available. Remediation must be automated as\na component of machine provisioning, or followed manually as outlined\nabove."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "A Ubuntu 22.04 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.", "vuldiscussion": "Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.\n\nUbuntu 22.04 incorporates the \"firewalld\" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default \"drop\" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.", "checktext": "Verify the Ubuntu 22.04 \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n$ sudo  firewall-cmd --state\n\nrunning\n\n$ sudo firewall-cmd --get-active-zones\n\npublic\n   interfaces: ens33\n\n$ sudo firewall-cmd --info-zone=public | grep target\n\n   target: DROP\n\n$ sudo firewall-cmd --permanent --info-zone=public | grep target\n\n   target: DROP\n\nIf no zones are active on the Ubuntu 22.04 interfaces or if runtime and permanent targets are set to a different option other than \"DROP\", this is a finding.", "fixtext": "Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\nStart by adding the exceptions that are required for mission functionality to the \"drop\" zone. If you need SSH access on port 22, for example, run the following: \"sudo firewall-cmd --permanent --add-service=ssh --zone=drop\"\n\nReload the firewall rules to update the runtime configuration from the \"--permanent\" changes made above:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the drop zone:\n$ sudo firewall-cmd --set-default-zone=drop\nNote: This is a runtime and permanent change.\n\nAdd any interfaces to the newly modified \"drop\" zone:\n$ sudo firewall-cmd --permanent --zone=drop --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload"}}, "platform": "package[firewalld]", "platforms": ["package[firewalld]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_firewalld"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Default firewalld Zone for Incoming Packets", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml", "template": {"name": "lineinfile", "vars": {"path": "/etc/firewalld/firewalld.conf", "text": "DefaultZone=drop"}, "backends": {"ansible": "off", "bash": "off"}}}