Detections
Analytics
GEN003607 - The system must not accept source-routed IPv4 packets - 'net.ipv4.conf.default.accept_source_route'
Information
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another system, such as when IPv4 forwarding is enabled and the system is functioning as a router.Solution
Configure the system to not accept source-routed IPv4 packets.Edit /etc/sysctl.conf and add a setting for 'net.ipv4.conf.all.accept_source_route=0' and 'net.ipv4.conf.default.accept_source_route=0'.
Reload the sysctls.
Procedure:
# sysctl -p
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip
Item Details
Audit Name: DISA STIG for Oracle Linux 5 v2r1
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT
References: 800-53|AC-4, 800-53|CM-6d., 800-53|CM-7b., CAT|II, CCI|CCI-000382, CCI|CCI-001503, CCI|CCI-001551, Rule-ID|SV-218484r603259_rule, STIG-ID|GEN003607, STIG-Legacy|SV-64197, STIG-Legacy|V-22414, Vuln-ID|V-218484
Plugin: Unix
Control ID: 7d864f0138da1ca01c5936795757458a9ef65f70afeb052d6f2751d082f0315f