Check: GEN003603
HP-UX 11.31 STIG:
GEN003603
(in versions v1 r19 through v1 r13)
Title
The system must not respond to ICMPv4 echoes sent to a broadcast address. (Cat II impact)
Discussion
Responding to broadcast Internet Control Message Protocol (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Check Content
Verify the system does not respond to ICMP ECHO_REQUESTs set to broadcast addresses. # ndd -get /dev/ip ip_respond_to_echo_broadcast If the result is not 0, this is a finding.
Fix Text
Configure the system to not respond to ICMP ECHO_REQUESTs sent to broadcast addresses. # ndd -set /dev/ip ip_respond_to_echo_broadcast 0 Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x]=ip NDD_NAME[x]=ip_respond_to_echo_broadcast NDD_VALUE[x]=0
Additional Identifiers
Rule ID: SV-35025r1_rule
Vulnerability ID: V-22410
Group Title: GEN003603
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |