-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRHEL-06-000120.sh
executable file
·71 lines (63 loc) · 2.45 KB
/
RHEL-06-000120.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/bin/bash
#
##########################################################################
#Red Hat Enterprise Linux 6 - DISA STIG Compliance Remediation Content
#Copyright (C) 2013
#Vincent C. Passaro ([email protected])
#
##########################################################################
#
###################### Buddha Labs LLC ################################
# By Vincent C. Passaro #
# Buddha Labs LLC. #
# vince[@]buddhalabs[.]com #
# www.buddhalabs.com #
###################### Buddha Labs LLC ################################
#_________________________________________________________________________
# Version | Change Information | Author | Date
#-------------------------------------------------------------------------
# 1.0 | Initial Script Creation | Vincent Passaro | 1-JUNE-2013
#
#
#######################DISA INFORMATION##################################
# Group ID (Vulid): RHEL-06-000120
# Group Title: SRG-OS-000231
#
# Rule ID: RHEL-06-000120_rule
# Severity: medium
# Rule Version (STIG-ID): RHEL-06-000120
# Rule Title: The system's local IPv4 firewall must implement a deny-all,
# allow-by-exception policy for inbound packets.
#
# Vulnerability Discussion: In "iptables" the default policy is applied
# only after all the applicable rules in the table are examined for a
# match. Setting the default policy to "DROP" implements proper design for
# a firewall, i.e., any packets which are not explicitly permitted should
# not be accepted.
#
# Responsibility:
# IAControls:
#
# Check Content:
#
# Inspect the file "/etc/sysconfig/iptables" to determine the default
# policy for the INPUT chain. It should be set to DROP.
# grep ":INPUT" /etc/sysconfig/iptables
# If the default policy for the INPUT chain is not set to DROP, this is a
# finding.
#
# Fix Text:
#
# To set the default policy to DROP (instead of ACCEPT) for the built-in
# INPUT chain which processes incoming packets, add or correct the
# following line in "/etc/sysconfig/iptables":
# :INPUT DROP [0:0]
#######################DISA INFORMATION##################################
#
# Global Variables
PDI=RHEL-06-000120
#
#BEGIN_CHECK
#END_CHECK
#BEGIN_REMEDY
#END_REMEDY