Check: GEN003600
HP-UX 11.31 STIG:
GEN003600
(in versions v1 r19 through v1 r13)
Title
The system must not forward IPv4 source-routed packets. (Cat II impact)
Discussion
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Check Content
Determine if the system is configured to forward source-routed IP packets. # ndd -get /dev/ip ip_forward_src_routed If the returned value is not 0, then this feature is enabled, this is a finding.
Fix Text
Disable the IP source-routed forwarding feature. # ndd -set /dev/ip ip_forward_src_routed 0 Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = ip NDD_NAME[x] = ip_forward_src_routed NDD_VALUE[x] = 0
Additional Identifiers
Rule ID: SV-38259r1_rule
Vulnerability ID: V-12002
Group Title: GEN003600
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |