mediumnetworkunverified
Ensure firewalld services and ports are configured per policy
firewalld-services-ports-reviewed · RHEL ≥ 8 · 1 impl
Description
The services and ports allowed by firewalld must match the organization's approved list — only required services/ports are open.
Rationale
Every open service or port is attack surface; unreviewed openings may expose unauthorized or vulnerable services.
Check → Remediate
Checkcommand
command -v firewall-cmd >/dev/null 2>&1 || { echo "NOT APPLICABLE: firewalld not present"; exit 0; }
echo "MANUAL: review the allowed services/ports against the approved list:"
firewall-cmd --list-all-zones 2>/dev/null | grep -E 'services:|ports:' | head
# Detection-only surfacing; disposition requires the site's approved list.
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Compare firewall-cmd --list-services / --list-ports for each active zone against the organization's approved services/ports list; remove any that are not required.
Framework references
CIS
rhel8 4.1.7rhel10 4.1.7
NIST 800-53
CM-7
#firewalld#services#ports#manual#cis