- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Assign loopback interface to the firewalld
trusted
zone in order to
explicitly allow the loopback traffic in the system.
To configure firewalld
to trust loopback traffic, run the following command:
sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
To ensure firewalld
settings are applied in runtime, run the following command:
firewall-cmd --reload
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "firewalld" ; then
yum install -y "firewalld"
fi
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
firewall-offline-cmd --zone=trusted --add-interface=lo
elif systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-interface=lo
firewall-cmd --reload
else
echo "
firewalld service is not active. Remediation aborted!
This remediation could not be applied because it depends on firewalld service running.
The service is not started by this remediation in order to prevent connection issues."
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is
Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- firewalld
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-87278-8
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Trust Loopback Traffic - Collect Facts About System
Services
ansible.builtin.service_facts: null
register: result_services_states
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-87278-8
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable
if firewalld Service is Running
block:
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted
Zone Includes lo Interface
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-interface=lo
register: result_lo_interface_assignment
changed_when:
- '''ALREADY_ENABLED'' not in result_lo_interface_assignment.stderr'
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Changes
are Applied
ansible.builtin.service:
name: firewalld
state: reloaded
when:
- result_lo_interface_assignment is changed
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_facts.services['firewalld.service'].state == 'running'
tags:
- CCE-87278-8
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based
on Service State
ansible.builtin.assert:
that:
- ansible_facts.services['firewalld.service'].state == 'running'
fail_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service
running.
- The service is not started by this remediation in order to prevent connection
issues.
success_msg:
- Configure Firewalld to Trust Loopback Traffic remediation successfully executed
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-87278-8
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed