Check: GEN003604
Solaris 10 SPARC STIG:
GEN003604
(in versions v2 r4 through v1 r19)
Title
The system must not respond to ICMP timestamp requests sent to a broadcast address. (Cat II impact)
Discussion
The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. Responding to broadcast ICMP timestamp requests facilitates network mapping and provides a vector for amplification attacks.
Check Content
Determine the type of zone that you are currently securing. # zonename If the zone is not the global zone, determine if any interfaces are exclusive to the zone: # dladm show-link If the output indicates "insufficient privileges" then this requirement is not applicable. If the zone is the global zone or the non-global zone has exclusive interfaces verify the system does not respond to ICMP timestamp requests set to broadcast addresses. # ndd /dev/ip ip_respond_to_echo_broadcast If the result is not 0, this is a finding.
Fix Text
Configure the system to not respond to ICMP timestamp requests sent to broadcast addresses. # ndd -set /dev/ip ip_respond_to_echo_broadcast 0 Also add this command to a system startup script.
Additional Identifiers
Rule ID: SV-226892r603265_rule
Vulnerability ID: V-226892
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |