Check: RHEL-09-253075
RHEL 9 STIG:
RHEL-09-253075
(in version v1 r1)
Title
RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. (Cat II impact)
Discussion
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
Check Content
Verify RHEL 9 is not performing IPv4 packet forwarding, unless the system is a router. Check that IPv4 forwarding is disabled using the following command: $ sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 0 If the IPv4 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.forwarding | tail -1 net.ipv4.conf.all.forwarding = 0 If "net.ipv4.conf.all.forwarding" is not set to "0" and is not documented with the ISSO as an operational requirement or is missing, this is a finding.
Fix Text
Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.forwarding = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system
Additional Identifiers
Rule ID: SV-257970r925897_rule
Vulnerability ID: V-257970
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |