An error occurred:

Check: GEN003580

HP-UX 11.31 STIG: GEN003580 (in versions v1 r19 through v1 r13)

Title

The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks. (Cat II impact)

Discussion

One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection originator. If the initial TCP sequence numbers for a host can be determined by an attacker, it may be possible to establish a TCP connection from a spoofed source address without bidirectional communication.

Check Content

# ndd -get /dev/tcp tcp_isn_passphrase If the value 1 is not returned, this is a finding.

Fix Text

# ndd -set /dev/tcp tcp_isn_passphrase <a random passphrase> Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = tcp NDD_NAME[x] = tcp_isn_passphrase NDD_VALUE[x] = <a random passphrase>

Additional Identifiers

Rule ID: SV-35010r1_rule

Vulnerability ID: V-12001

Group Title: GEN003580

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001436

The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check