Rule ID
SV-281356r1167218_rule
Version
V1R1
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00087
Note: If IPv6 is disabled on the system, this requirement is not applicable. Verify RHEL 10 does not accept IPv6 source-routed packets. Check the value of the "net.ipv6.conf.all.accept_source_route" variable with the following command: $ sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 If "net.ipv6.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding.
Configure RHEL 10 to not accept IPv6 source-routed packets. Create a configuration file if it does not already exist: $ sudo vi /etc/sysctl.d/ipv6_accept_source_route.conf Add the following line to the file: net.ipv6.conf.all.accept_source_route = 0 Reload settings from all system configuration files with the following command: $ sudo sysctl --system