Check: GEN003607
HP-UX 11.31 STIG:
GEN003607
(in versions v1 r19 through v1 r14)
Title
The system must not accept source-routed IPv4 packets. (Cat II impact)
Discussion
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Check Content
Check the system for an IP Filter (IPF) rule blocking incoming source-routed packets. # ipfstat -i Examine the list for rules such as: block in log quick [all] | [from any to any] with opt lsrr block in log quick [all] | [from any to any] with opt ssrr If the listed rules do not block incoming traffic with both lsrr and ssrr options, this is a finding.
Fix Text
Edit /etc/opt/ipf/ipf.conf and add rules to block incoming source-routed packets, such as: block in log quick [all] | [from any to any] with opt lsrr block in log quick [all] | [from any to any] with opt ssrr Reload the IPF rules. # ipf -Fa -A -f /etc/opt/ipf/ipf.conf
Additional Identifiers
Rule ID: SV-29713r2_rule
Vulnerability ID: V-22414
Group Title: GEN003607
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |