Navigate

Check: GEN003605

SUSE Linux Enterprise Server v11 for System z STIG: GEN003605 (in versions v1 r12 through v1 r9)

Title

The system must not apply reversed source routing to TCP responses. (Cat II impact)

Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Check Content

Check the reverse source route settings for the system: # sysctl net.ipv4.conf.all.accept_source_route # sysctl net.ipv4.conf.default.accept_source_route If either setting has a value other than zero, this is a finding.

Fix Text

Add the entries in /etc/sysctl.conf to disable reverse source routing: # printf "sysctl net.ipv4.conf.all.accept_source_route = 0\n" >> /etc/sysctl.conf # printf "sysctl net.ipv4.conf.default.accept_source_route = 0\n" >> /etc/sysctl.conf Activate the updated settings: # /sbin/sysctl -p /etc/sysctl.conf

Additional Identifiers

Rule ID: SV-46156r1_rule

Vulnerability ID: V-22412

Group Title: GEN003605

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001551	The organization defines approved authorizations for controlling the flow of information between interconnected systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4	Information Flow Enforcement