Nutanix OS must enable an application firewall.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279586 | NXAC-OS-000133 | SV-279586r1192556_rule | CCI-001764 | medium |
| Description | ||||
| Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. Satisfies: SRG-OS-000480-GPOS-00232, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155 | ||||
| STIG | Date | |||
| Nutanix Acropolis GPOS Security Technical Implementation Guide | 2026-02-24 | |||
Details
Check Text (C-279586r1192556_chk)
1. Verify AOS, Prism Central, and Files has "fapolicyd" installed and is configured for deny-all, permit by exception policy using the following command.
$ sudo systemctl status fapolicyd.service
fapolicyd.service - File Access Policy Daemon
Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
Active: active (running)
$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf
permissive = 0
$sudo tail /etc/fapolicyd/compiled.rules
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny perm=any all : all
2. For AHV, verify iptables services are "Loaded" and "Active".
$ sudo service iptables status
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago
Main PID: 1250 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
3. If IPv6 is in use, run the following command.
$ sudo service ip6tables status
ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago
Main PID: 1313 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ip6tables.service
If an application firewall is not configured or is not installed or enabled, this is a finding.
Fix Text (F-84044r1192555_fix)
1. For AOS, configure fapolicyd.service using the following command.
$ sudo salt-call state.sls security/CVM/fapolicydCVM.sls
2. For Prism Central, configure fapolicyd.service using the following command.
$ sudo salt-call state.sls security/PCVM/fapolicydPCVM.sls
3. For Files, configure fapolicyd.service using the following command.
$ sudo salt-call state.sls security/AFS/fapolicydAFS.sls
4. Configure AHV to restrict using SSH using the following command.
$ sudo salt-call state.sls security/KVM/iptables/init