Check: GEN007940
Solaris 9 X86 STIG:
GEN007940
(in version v1 r9)
Title
The system must not accept source-routed IPv6 packets. (Cat II impact)
Discussion
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv6 forwarding is enabled and the system is functioning as a router.
Check Content
Verify the system is configured to not forward IPv6 source-routed packets. # ndd /dev/ip6 ip6_forward_src_routed If the returned value is not 0, this is a finding.
Fix Text
Configure the system to not forward IPv6 source-routed packets. # ndd -set /dev/ip6 ip6_forward_src_routed 0 Also, add this command to a system startup script.
Additional Identifiers
Rule ID: SV-42323r1_rule
Vulnerability ID: V-22554
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |