← Rules Catalog
mediumnetworkunverified

Ensure firewalld services and ports are configured per policy

firewalld-services-ports-reviewed · RHEL ≥ 8 · 1 impl

Description

The services and ports allowed by firewalld must match the organization's approved list — only required services/ports are open.

Rationale

Every open service or port is attack surface; unreviewed openings may expose unauthorized or vulnerable services.

Check → Remediate

Checkcommand
command -v firewall-cmd >/dev/null 2>&1 || { echo "NOT APPLICABLE: firewalld not present"; exit 0; }
echo "MANUAL: review the allowed services/ports against the approved list:"
firewall-cmd --list-all-zones 2>/dev/null | grep -E 'services:|ports:' | head
# Detection-only surfacing; disposition requires the site's approved list.
exit 0
expected_exit:
0
Remediatemanual
note:
Compare firewall-cmd --list-services / --list-ports for each active zone against the organization's approved services/ports list; remove any that are not required.

Framework references

CIS

rhel8 4.1.7rhel10 4.1.7

NIST 800-53

CM-7
#firewalld#services#ports#manual#cis