diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
index 622faac9c40..9ad0b2587a2 100644
--- a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml
@@ -7,6 +7,25 @@ description: |-
The operating system must configure the uncomplicated firewall to
rate-limit impacted network interfaces.
+ Check all the services listening to the ports with the following
+ command:
+ $ sudo ss -l46ut
+ Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
+ tcp LISTEN 0 128 [::]:ssh [::]:*
+
+ For each entry, verify that the ufw is configured to rate limit the
+ service ports with the following command:
+ $ sudo ufw status
+
+ If any port with a state of "LISTEN" is not marked with the "LIMIT"
+ action, run the following command, replacing "service" with the
+ service that needs to be rate limited:
+ $ sudo ufw limit "service"
+
+ Rate-limiting can also be done on an interface. An example of adding
+ a rate-limit on the eth0 interface follows:
+ $ sudo ufw limit in on eth0
+
rationale: |-
This requirement addresses the configuration of the operating system to
mitigate the impact of DoS attacks that have occurred or are ongoing on
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh
new file mode 100644
index 00000000000..42b580778d4
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/sce/shared.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# check-import = stdout
+
+ufw_status="$(ufw status verbose)"
+
+# check ufw is running
+if grep -q "Status: inactive" <<< "$ufw_status"; then
+ exit $XCCDF_RESULT_FAIL
+fi
+
+# check default incoming rule is not allow
+if grep -q "Default: allow (incoming)" <<< "$ufw_status"; then
+ exit $XCCDF_RESULT_FAIL
+fi
+
+# check that listening ports which are open in the firewall are
+# not "ALLOW IN", and are thus rate-limited, deny or rejected, or
+# or using the default rule
+while read -r lpn;
+do
+ if grep -Pq "^\h*$lpn\b.*ALLOW IN" <<< "$ufw_status"; then
+ exit $XCCDF_RESULT_FAIL
+ fi
+done < <(ss -tulnH | awk '{n=split($5, a, ":"); print a[n]}' | sort -u)
+
+exit $XCCDF_RESULT_PASS
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh
new file mode 100644
index 00000000000..151d98ec5fd
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/allow.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platforms = multi_platform_ubuntu
+# packages = ufw
+# remediation = none
+
+source common.sh
+
+ufw allow 22
+ufw limit 53
+ufw deny 631
+ufw -f enable
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh
new file mode 100644
index 00000000000..ce64b1df98e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_rate_limit/tests/common.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# mock `ss -tulnH`
+
+cat > /usr/local/bin/ss <