mediumnetworkunverified
Ensure remote access methods match the PPSM CLSA
firewall-remote-access-ppsm · RHEL ≥ 10 · 1 impl
Description
RHEL 10 must control remote access methods so that the enabled firewall ports, protocols, and services match the site or program Ports, Protocols, and Services Management (PPSM) Component Local Service Assessment (CLSA). Because the PPSM CLSA is an external program document, this requires manual verification: the check emits the current firewall configuration for comparison.
Rationale
Ports, protocols, and services not covered by the PPSM CLSA — or ones the CLSA prohibits — represent uncontrolled remote-access paths into the system.
Check → Remediate
Checkcommand
echo "MANUAL REVIEW REQUIRED: compare the enabled firewall ports/services below against the site/program PPSM CLSA. Any port, protocol, or service not in the CLSA, or one the CLSA prohibits, is a finding." if command -v firewall-cmd >/dev/null 2>&1; then firewall-cmd --list-all 2>/dev/null || echo " (firewalld is not running)" else echo " (firewall-cmd is not present)" fi exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Reconcile the firewall configuration with the PPSM CLSA: remove any port/protocol/service not authorized by the CLSA and add controls for any the CLSA requires.
Framework references
STIG
V-281332 / RHEL-10-800000
NIST 800-53
AC-17CM-7
#firewall#remote-access#ppsm#stig#manual