AlmaLinux OS 9 must use reverse path filtering on all IP interfaces.

STIG ID: ALMA-09-019820  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269255

Vulnerability Discussion

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Check

Verify AlmaLinux OS 9 uses reverse path filtering on all IP interfaces with the following command:

$ sysctl -a | grep -E '\.rp_filter'

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp1s0.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1

If the returned lines do not all have a value of "1", this is a finding.

Fix

Configure AlmaLinux OS 9 to use reverse path filtering on all IP interfaces.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.