← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282697

CAT II (Medium)

TOSS 5 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.

Rule ID

SV-282697r1201349_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Check Content

Verify TOSS 5 is not performing IPv4 packet forwarding unless the system is a router using the following command:

$ sudo sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 0

If the IPv4 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement is missing, this is a finding.

Fix Text

Configure TOSS 5 to not allow IPv4 packet forwarding unless the system is a router.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.conf.all.forwarding = 0

Load settings from all system configuration files using the following command:

$ sudo sysctl --system