Navigate

Check: GEN005600

SUSE Linux Enterprise Server v11 for System z STIG: GEN005600 (in versions v1 r12 through v1 r9)

Title

IP forwarding for IPv4 must not be enabled, unless the system is a router. (Cat II impact)

Discussion

If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.

Check Content

Check if the system is configured for IPv4 forwarding. If the system is a VM host and acts as a router solely for the benefits of its client systems, then this rule is not applicable. Procedure: # cat /proc/sys/net/ipv4/ip_forward If the value is set to "1", IPv4 forwarding is enabled this is a finding.

Fix Text

Edit "/etc/sysctl.conf" and set net.ipv4.ip_forward to "0". Restart the system or run "sysctl -p" to make the change take effect.

Additional Identifiers

Rule ID: SV-46114r1_rule

Vulnerability ID: V-12023

Group Title: GEN005600

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-6	Configuration Settings