← Rules Catalog
mediumnetworkunverified

Ensure remote access methods match the PPSM CLSA

firewall-remote-access-ppsm · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must control remote access methods so that the enabled firewall ports, protocols, and services match the site or program Ports, Protocols, and Services Management (PPSM) Component Local Service Assessment (CLSA). Because the PPSM CLSA is an external program document, this requires manual verification: the check emits the current firewall configuration for comparison.

Rationale

Ports, protocols, and services not covered by the PPSM CLSA — or ones the CLSA prohibits — represent uncontrolled remote-access paths into the system.

Check → Remediate

Checkcommand
echo "MANUAL REVIEW REQUIRED: compare the enabled firewall ports/services below against the site/program PPSM CLSA. Any port, protocol, or service not in the CLSA, or one the CLSA prohibits, is a finding."
if command -v firewall-cmd >/dev/null 2>&1; then
  firewall-cmd --list-all 2>/dev/null || echo "  (firewalld is not running)"
else
  echo "  (firewall-cmd is not present)"
fi
exit 0
expected_exit:
0
Remediatemanual
note:
Reconcile the firewall configuration with the PPSM CLSA: remove any port/protocol/service not authorized by the CLSA and add controls for any the CLSA requires.

Framework references

STIG

V-281332 / RHEL-10-800000

NIST 800-53

AC-17CM-7
#firewall#remote-access#ppsm#stig#manual