Detections
Analytics

3.1.1 Modify Network Parameters

Information

Network device drivers have parameters that can be set to provide stronger security settings, depending on environmental needs. This section describes modifications to network parameters for IP, ARP and TCP.

The settings described in this section meet most functional needs while providing additional security against common network attacks. However, it is important to understand the needs of your particular environment to determine if these settings are appropriate for you.

Note:

The items that are Solaris 10 defaults include:
ip_forward_directed_broadcasts
ip_forward_src_routed
ip6_forward_src_routed
ip_respond_to_timestamp
ip_respond_to_timestamp_broadcast
ip_respond_to_address_mask_broadcast
ip6_send_redirects
tcp_rev_src_routes

The items that are NOT Solaris 10 defaults include:
arp_cleanup_interval
ip_ire_arp_interval
ip_ignore_redirect
ip6_ignore_redirect
ip_respond_to_echo_broadcast
ip_strict_dst_mutihoming
ip6_strict_dst_multihoming
ip_send_redirects
tcp_conn_req_max_q0
tcp_conn_req_max_q
tcp_extra_priv_ports_add

Note that we are creating a new script that will be executed at boot time to reconfigure the network parameters described in this section. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. The cis_netconfig.sh script that follows is a compilation of all the network parameter settings in this section. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Oracle is moving away from legacy run control scripts in /etc/init.d in favor of using SMF services.

Rationale:
Modifying these network parameters as recommended protects against certain common network attacks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

cat > cis_netconfig.sh << END
#!/sbin/sh
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip6_forward_src_routed 0
ndd -set /dev/tcp tcp_rev_src_routes 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_respond_to_echo_multicast 0
ndd -set /dev/ip ip6_respond_to_echo_multicast 0
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip6_ignore_redirect 1
ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip6_strict_dst_multihoming 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip6_send_redirects 0
END
chmod +x cis_netconfig.sh

Place the script in /lib/svc/method.

Appendix 11.9 contains a script to create an SMF service to run all the network commands described in the following sub-sections. If the SMF service is created as described in Appendix 11.9, execute the following command for it to take effect:
cp cis_netconfig.sh /lib/svc/method
chmod 750 /lib/svc/method/cis_netconfig.sh
svccfg import cis_netconfig.xml

When the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date. A
description for each network parameter seeting is included in the following sections.

Item Details

Plugin: Unix

Control ID: b49130983410588e992b6bb78f324e44146f878c6cfa307a3bba7e8ef71ad1c8