← Rules Catalog
mediumnetworkunverified

Ensure functions, ports, protocols, and services match the PPSM CAL

firewall-ppsm-cal · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM Component Approved List (CAL) and vulnerability assessments. Because the PPSM CAL is an external program document, this requires manual verification: the check emits the active firewall zones/services for comparison.

Rationale

Unnecessary or prohibited functions, ports, protocols, and services expand the attack surface. The PPSM CAL defines what is permitted; anything beyond it must be removed or restricted.

Check → Remediate

Checkcommand
echo "MANUAL REVIEW REQUIRED: compare the active firewall zones/services below against the PPSM CAL. Any function, port, protocol, or service that is unnecessary or prohibited by the CAL is a finding."
if command -v firewall-cmd >/dev/null 2>&1; then
  firewall-cmd --list-all-zones 2>/dev/null || echo "  (firewalld is not running)"
else
  echo "  (firewall-cmd is not present)"
fi
exit 0
expected_exit:
0
Remediatemanual
note:
Restrict the firewall and running services to only those authorized by the PPSM CAL; disable or remove any unnecessary or prohibited function, port, protocol, or service.

Framework references

STIG

V-281333 / RHEL-10-800010

NIST 800-53

CM-7
#firewall#ppsm#ports-protocols-services#stig#manual