Nutanix OS must enable an application firewall.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279586 | SRG-OS-000480-GPOS-00232 | NXAC-OS-000133 | SV-279586r1192556_rule | 2026-02-24 | 1 |
Description
Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
Satisfies: SRG-OS-000480-GPOS-00232, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155
ℹ️ Check
1. Verify AOS, Prism Central, and Files has "fapolicyd" installed and is configured for deny-all, permit by exception policy using the following command.
$ sudo systemctl status fapolicyd.service
fapolicyd.service - File Access Policy Daemon
Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
Active: active (running)
$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf
permissive = 0
$sudo tail /etc/fapolicyd/compiled.rules
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny perm=any all : all
2. For AHV, verify iptables services are "Loaded" and "Active".
$ sudo service iptables status
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago
Main PID: 1250 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
3. If IPv6 is in use, run the following command.
$ sudo service ip6tables status
ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago
Main PID: 1313 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ip6tables.service
If an application firewall is not configured or is not installed or enabled, this is a finding.
✔️ Fix
1. For AOS, configure fapolicyd.service using the following command.
$ sudo salt-call state.sls security/CVM/fapolicydCVM.sls
2. For Prism Central, configure fapolicyd.service using the following command.
$ sudo salt-call state.sls security/PCVM/fapolicydPCVM.sls
3. For Files, configure fapolicyd.service using the following command.
$ sudo salt-call state.sls security/AFS/fapolicydAFS.sls
4. Configure AHV to restrict using SSH using the following command.
$ sudo salt-call state.sls security/KVM/iptables/init