Suggestion: update wording in SO 2.4 documentation to state "Security Onion locks down the Firewall by default" for STIG audit

[fa1sepr0phet]

We had gone through a pre-inspection for STIG compliance and our auditor wanted to see that so-firewall had an explicit "deny by default" setting set. Using the firewalld daemon, this can be accomplished by running "sudo firewall-cmd --info-zone[custom] | grep target and it should return with "target: DROP". If there is no way to do this on the command line with so-firewall or on the SOC, can the 2.4 documentation add the line that was in the 2.3 documentation (section 17.2 so-allow) "Security Onion locks down the Firewall by default", as that phrase is not in the 2.4 documentation. For reference I am referring to STIG vuln-id V-248839. I understand that is for Oracle Linux 8 but we are anticipating that vuln id will still be present in the upcoming OL9 STIG.

[RagnarSTS]

Can put all the words in the user manual and documentation you want...the entire point of an audit is to see what is really true. User manual documentation is not sufficient for this. I'd stick with your manual validation.

[dougburks]

I've updated the documentation for the upcoming 2.4.70 release:

[fa1sepr0phet]

Outstanding! This will help. Our pre-audit inspectors noted that this phrase in the docs was important, but being able to show on the command line as RagnarSTS mentioned will ultimately be required, which I should be able to do with iptables.