Check: GEN003605
HP-UX 11.31 STIG:
GEN003605
(in versions v1 r19 through v1 r13)
Title
The system must not apply reversed source routing to TCP responses. (Cat II impact)
Discussion
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Check Content
Determine if the system is configured to forward source-routed IP packets. When correctly configured, if ip_forward_src_routed is disabled, the system is also configured to disable reverse source routing to TCP responses to source-routed packets. # ndd -get /dev/ip ip_forward_src_routed If the returned value is not '0', this feature is enabled and this is a finding.
Fix Text
Disable the IP source-routed forwarding feature. # ndd -set /dev/ip ip_forward_src_routed 0 Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = ip NDD_NAME[x] = ip_forward_src_routed NDD_VALUE[x] = 0
Additional Identifiers
Rule ID: SV-35028r1_rule
Vulnerability ID: V-22412
Group Title: GEN003605
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |