Check: GEN005600
HP-UX 11.23 STIG:
GEN005600
(in version v1 r8)
Title
IP forwarding for IPv4 must not be enabled, unless the system is a router. (Cat II impact)
Discussion
If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.
Check Content
The configuration file entries will appear as follows: TRANSPORT_NAME[x]=ip NDD_NAME[x]=ip_forwarding NDD_VALUE[x]=0 NOTE: The setting for the "ip_forwarding" interface will be initialized on a separate line referencing a specific NDD index. # cat /etc/rc.config.d/nddconf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | \ grep -i ip_forwarding | cut -f 1,1 -d "=" | tr -d [:alpha:] | tr -d [:punct:] If the above command returns nothing, this check is not a finding. If the above command does return an index value: # cat /etc/rc.config.d/nddconf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | \ grep "[the ip_forwarding INDEX number from the above command]" NOTE: The above command must (literally) contain the ASCII punctuation characters [ and ] exactly as depicted above. If the return value is not set to 0, ask the SA if the machine is a designated router. If it is not a designated router, this is a finding. If it is a designated router, this is not a finding.
Fix Text
Edit /etc/rc.config.d/nddconf and set the ip_forwarding option to 0.
Additional Identifiers
Rule ID: SV-35177r1_rule
Vulnerability ID: V-12023
Group Title: GEN005600
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |