Title

The DHCP client must be disabled if not needed. (Cat II impact)

Discussion

DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.

Check Content

IIf DHCP is required by the organization, this is Not Applicable. For each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not being used: Note: This requirement does not apply to the local loopback interface. # cat /etc/sysconfig/network-scripts/ifcfg-[IFACE] | grep -i “bootproto” | grep –v “#” BOOTPROTO=none If no output is returned this is a finding. If BOOTPROTO is not set to ”none”, this is a finding.

Fix Text

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

Additional Identifiers

Rule ID: SV-218042r603264_rule

Vulnerability ID: V-218042

Group Title: SRG-OS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.