Check: RHEL-07-040611
Red Hat Enterprise Linux 7 STIG:
RHEL-07-040611
(in versions v3 r14 through v3 r10)
Title
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. (Cat II impact)
Discussion
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Check Content
Verify the system uses a reverse-path filter for IPv4: # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null net.ipv4.conf.all.rp_filter = 1 If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the accept source route variable with the following command: # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.
Fix Text
Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system
Additional Identifiers
Rule ID: SV-204610r880800_rule
Vulnerability ID: V-204610
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |