CCE-95706-8Platform: cpe:/o:ubuntu:ubuntu_linux:18.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:16.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2021-07-27 (M)2023-09-01 |
A default deny all policy on connections ensures that any unconfigured network usage will
be rejected.With a default accept policy the firewall will accept any packet that is not configured to be
denied. It is easier to white list acceptable usage than to black list unacceptable usage.
FIX:
Make sure iptables-persistent installed.
If you are using iptables,
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
or
If you are using ufw,
# ufw default deny incoming
# ufw default deny outgoing
# ufw default deny routed
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
Revert:
If you are using iptables,
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
or
If you are using ufw,
# ufw default allow incoming
# ufw default allow outgoing
# ufw default allow routed
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
Note:
1. If INPUT or OUTPUT DROP is set, Saner agent and all other remote services and servers will not be able to contact your machine.
Parameter:
[Yes/No]
Technical Mechanism:
Run the following command:
# ufw default deny incoming
# ufw default deny outgoing
# ufw default deny routed
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.9 | Attack Vector: NETWORK |
Exploit Score: 3.1 | Attack Complexity: LOW |
Impact Score: 6.0 | Privileges Required: LOW |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: LOW |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85283 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73990 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87422 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73988 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73986 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92233 |