Description
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
Rationale
Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" unmask 'firewalld.service'
"$SYSTEMCTL\_EXEC" start 'firewalld.service'
"$SYSTEMCTL\_EXEC" enable 'firewalld.service'
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Enable service firewalld
block:
- name: Gather the package facts
package\_facts:
manager: auto
- name: Enable service firewalld
systemd:
name: firewalld
enabled: 'yes'
state: started
masked: 'no'
when:
- '"firewalld" in ansible\_facts.packages'
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80998-8
- DISA-STIG-RHEL-07-040520
- NIST-800-171-3.1.3
- NIST-800-171-3.4.7
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(21)
- enable\_strategy
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- service\_firewalld\_enabled
