← Back to Nutanix AOS 5.20.x OS Security Technical Implementation Guide

V-254198

CAT II (Medium)

Nutanix AOS must enable an application firewall, if available.

Rule ID

SV-254198r991593_rule

STIG

Nutanix AOS 5.20.x OS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.

Check Content

Confirm Nutanix AOS prohibits or restricts the use of remote access methods, using the iptables firewall service.

$ sudo service iptables status
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago
 Main PID: 1250 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/iptables.service

If IPv6 is in use:
$ sudo service ip6tables status
ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago
 Main PID: 1313 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/ip6tables.service

If no iptables services are "Loaded" and "Active", this is a finding.

Fix Text

Configure the system to restrict the use of remote access methods by running the following command.

$ sudo salt-call state.sls security/CVM/iptables/init