1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
documentation_complete: true
title: 'Configure Firewalld to Use the Nftables Backend'
description: |-
Firewalld can be configured with many backends, such as nftables.
rationale: |-
Nftables is modern kernel module for controling network connections coming into a system.
Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.
severity: medium
platform: package[firewalld]
identifiers:
cce@rhel8: CCE-86506-3
cce@rhel9: CCE-86507-1
cce@rhel10: CCE-87099-8
cce@sle15: CCE-92470-4
cce@slmicro5: CCE-94012-2
references:
cis@sle15: 3.5.2.1
nist: SC-5
srg: SRG-OS-000420-GPOS-00186
stigid@ol8: OL08-00-040150
ocil_clause: 'the "nftables" is not set as the "firewallbackend"'
ocil: |-
Verify "nftables" is configured to allow rate limits on any connection to the system with the following command:
Verify "firewalld" has "nftables" set as the default backend:
$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf
# FirewallBackend
FirewallBackend=nftables
fixtext: |-
Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf":
FirewallBackend=nftables
Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
srg_requirement: 'A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring {{{ full_name }}} can implement rate-limiting measures on impacted network interfaces.'
template:
name: shell_lineinfile
vars:
path: /etc/firewalld/firewalld.conf
parameter: FirewallBackend
value: nftables
no_quotes: 'true'
|
