diff --git a/linux_os/guide/system/network/network_implement_access_control/oval/shared.xml b/linux_os/guide/system/network/network_implement_access_control/oval/shared.xml
new file mode 100644
index 00000000000..15459cc11cc
--- /dev/null
+++ b/linux_os/guide/system/network/network_implement_access_control/oval/shared.xml
@@ -0,0 +1,101 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Configure the access control program to grant or deny access to
+      specific hosts and services") }}}
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <extend_definition comment="package firewalld installed" definition_ref="package_firewalld_installed" />
+        <extend_definition comment="service firewalld enabled" definition_ref="service_firewalld_enabled" />
+        <criteria operator="OR">
+            <criterion comment="firewalld's default zone is configured to grant access to
+                specific hosts" test_ref="test_firewalld_default_zone_hosts_configured" />
+            <criterion comment="firewalld's default zone is configured to grant access to
+                specific services" test_ref="test_firewalld_default_zone_services_configured" />
+        </criteria>
+      </criteria>
+      <criteria operator="OR">
+         <criterion comment="tcpwrappers allow list is configured"
+           test_ref="test_tcpwrappers_allow_list_not_empty" />
+         <criterion comment="tcpwrappers deny list is configured"
+           test_ref="test_tcpwrappers_deny_list_not_empty" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <local_variable id="var_firewalld_default_zone_filename" datatype="int" version="1"
+      comment="Name of the zone definition file">
+    <concat>
+       <object_component item_field="subexpression" object_ref="obj_firewalld_default_zone"/>
+       <literal_component>.xml</literal_component>
+    </concat>
+  </local_variable>
+
+  <ind:textfilecontent54_test id="test_tcpwrappers_allow_list_not_empty" check="all"
+      check_existence="all_exist" comment="check if /etc/hosts.allow is empty" version="1">
+    <ind:object object_ref="obj_file_empty_hosts_allow"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_file_empty_hosts_allow" version="1">
+    <ind:filepath>/etc/hosts.allow</ind:filepath>
+    <ind:pattern operation="pattern match">^[^#]+</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_tcpwrappers_deny_list_not_empty" check="all"
+      check_existence="all_exist" comment="check if /etc/hosts.deny is empty" version="1">
+    <ind:object object_ref="obj_file_empty_hosts_deny"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_file_empty_hosts_deny" version="1">
+    <ind:filepath>/etc/hosts.deny</ind:filepath>
+    <ind:pattern operation="pattern match">^[^#]+</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_firewalld_default_zone" version="1">
+    <ind:filepath>/etc/firewalld/firewalld.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*DefaultZone=(\w+)$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="check if firewalld's default zone is configured to grant access to specific hosts"
+    id="test_firewalld_default_zone_hosts_configured" version="1">
+    <ind:object object_ref="obj_firewalld_public_zone_hosts_configured" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_firewalld_public_zone_hosts_configured"
+    version="1">
+  <ind:path operation="pattern match">^/(etc|usr/lib)/firewalld/zones/</ind:path>
+    <ind:filename var_ref="var_firewalld_default_zone_filename"></ind:filename>
+    <ind:pattern operation="pattern match">^[\s]+&lt;source (address|mac|ipset)="[\w:]+"[\s]*/&gt;$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="check if firewalld's default zone is configured to grant access to specific services"
+    id="test_firewalld_default_zone_services_configured" version="1">
+    <ind:object object_ref="obj_firewalld_public_zone_services_configured" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_firewalld_public_zone_services_configured"
+    version="1">
+  <ind:path operation="pattern match">^/(etc|usr/lib)/firewalld/zones/</ind:path>
+    <ind:filename var_ref="var_firewalld_default_zone_filename"></ind:filename>
+    <ind:pattern operation="pattern match">^[\s]+&lt;service name="\w+"[\s]*/&gt;$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+    comment="check if there is an user-defined public zone definition file"
+    id="test_no_user_defined_public_zone_file" version="1">
+    <ind:object object_ref="obj_no_user_defined_public_zone_file" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_no_user_defined_public_zone_file"
+    version="1">
+    <ind:filepath>/etc/firewalld/zones/public.xml</ind:filepath>
+    <ind:pattern operation="pattern match">.*</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/network/network_implement_access_control/rule.yml b/linux_os/guide/system/network/network_implement_access_control/rule.yml
index 1f5650c83a9..7e8d8388315 100644
--- a/linux_os/guide/system/network/network_implement_access_control/rule.yml
+++ b/linux_os/guide/system/network/network_implement_access_control/rule.yml
@@ -80,3 +80,9 @@ ocil: |-
     If "firewalld" is not active and configured, and the "hosts.allow" and
     "hosts.deny" files are empty, this is a finding.
 
+warnings:
+    - general: |-
+        This rule checks that either firewalld or tcpwrappers are being used
+        to restrict system access to some hosts and/or services. It does not
+        check for any specific hosts/services. Make sure that the allowed
+        hosts/services meet your operational needs.