A question on Requirements, in particular STIGs.
Looking thru the work-in-progress it appears there is a callout for usage of FIREWALLD, otherwise, a Finding. I would have thought it would be acceptable for RHEL Hosts with static configurations using IPTABLES is acceptable. We have RHEL Application Server Hosts (Headless) that have static services and configurations with well defined static IPTABLES based rules for INPUT/OUTPUT (FORWARDING disabled). There are no dynamic changes that are ever applied to these Hosts, and if there are changes, we explicitly account for these. We are moving from RHEL6 to RHEL7 and do not see any security benefit in moving the INPUT rules set to be managed by FIREWALLD. If FIREWALLD evolves to be a complete controller of IPTABLES Rules, rather than a mixture of FIREWALLD manages some, while other must be manually configured in IPTABLES, the we will move to FIREWALLD. We would like to see the STIG Requirements provide for an OR Case to allow for STATIC based IPTABLES Usage, rather than requiring usage of FIREWALLD. Who is handling this area to discuss this, and make acceptable the usage of STATIC IPTABLES Rules ? Jeff
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
