Check: GEN007920
HP-UX 11.31 STIG:
GEN007920
(in versions v1 r19 through v1 r13)
Title
The system must not forward IPv6 source-routed packets. (Cat II impact)
Discussion
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.
Check Content
Determine if the system is configured for packet forwarding. # ndd -get /dev/ip6 ip6_forwarding If the command returns 0 (disabled), this is not a finding. If the command returns 1 (enabled), ask the SA if the system is configured to act as a router, this is a finding.
Fix Text
Configure the system to not forward IPv6 source-routed packets. # ndd -set /dev/ip6 ip6_forwarding 0 This command should also be added to the ndd configuration file and/or to the system startup script /etc/rc.config.d/nddconf : TRANSPORT_NAME[index]=ip6 NDD_NAME[index]=ip6_forwarding NDD_VALUE[index]=0
Additional Identifiers
Rule ID: SV-38378r1_rule
Vulnerability ID: V-22553
Group Title: GEN007920
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |