Check: RHEL-08-040259
RHEL 8 STIG:
RHEL-08-040259
(in versions v2 r1 through v1 r7)
Title
RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. (Cat II impact)
Discussion
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf
Check Content
Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. Check that IPv4 forwarding is disabled using the following command: $ sudo sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 0 If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0 If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Fix Text
Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.forwarding=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Additional Identifiers
Rule ID: SV-250317r1017358_rule
Vulnerability ID: V-250317
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |