The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.

STIG ID: OL07-00-040612  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-221875 | 

Vulnerability Discussion

Enabling reverse path filtering drops packets with invalid source addresses received on the interface. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Check

Verify the system uses a reverse-path filter for IPv4:

# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*
net.ipv4.conf.default.rp_filter = 1

If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.

Check that the operating system implements the accept source route variable with the following command:

# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1

If the returned line does not have a value of "1", this is a finding.

Fix

Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):

net.ipv4.conf.default.rp_filter = 1

Issue the following command to make the changes take effect:

# sysctl --system