Check: GEN003580
HP-UX 11.31 STIG:
GEN003580
(in versions v1 r19 through v1 r13)
Title
The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks. (Cat II impact)
Discussion
One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection originator. If the initial TCP sequence numbers for a host can be determined by an attacker, it may be possible to establish a TCP connection from a spoofed source address without bidirectional communication.
Check Content
# ndd -get /dev/tcp tcp_isn_passphrase If the value 1 is not returned, this is a finding.
Fix Text
# ndd -set /dev/tcp tcp_isn_passphrase <a random passphrase> Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = tcp NDD_NAME[x] = tcp_isn_passphrase NDD_VALUE[x] = <a random passphrase>
Additional Identifiers
Rule ID: SV-35010r1_rule
Vulnerability ID: V-12001
Group Title: GEN003580
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001436 |
The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |