AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router.

STIG ID: ALMA-09-019160  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269249

Vulnerability Discussion

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Check

Verify AlmaLinux OS 9 is not performing IP packet forwarding, unless the system is a router.

Check that IP forwarding is disabled using the following command:

$ sysctl -a | grep -E '\.forwarding'

net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.enp1s0.forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.enp1s0.forwarding = 0
net.ipv6.conf.lo.forwarding = 0

If any of the returned lines are not set to "0" and it is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure AlmaLinux OS 9 to not allow IP packet forwarding, unless the system is a router.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.lo.forwarding = 0

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl –system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.