Rule ID
SV-279625r1192338_rule
Version
V1R1
CCIs
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Verify Nutanix OS is configured to use syncookies. 1. For AOS, Prism Central, and Files, verify the saved value of TCP syncookies using the following command. $ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' /etc/sysctl.d/99-salt.conf:net.ipv4.tcp_syncookies = 1 2. Verify AHV is configured to use syncookies using the following command. $ sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 $ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' If the value of syncookies is not set to "1", this is a finding.
Set the value of syncookies to 1. 1. For AOS, run the following command. $ sudo salt-call state.sls security/CVM/iptables/init 2. For Prism Central, run the following command. $ sudo salt-call state.sls security/PCVM/iptables/init 3. For Files, run the following command. $ sudo salt-call state.sls security/AFS/iptables/init 4. For AHV, configure Nutanix AHV to use TCP syncookies using the following command. $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1