OL 8 must not perform packet forwarding unless the system is a router.

STIG ID: OL08-00-040260  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-248883 | 

Vulnerability Discussion

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Check

Verify OL 8 is not performing packet forwarding unless the system is a router.

Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.

Determine if IP forwarding is enabled using the following commands:

$ sudo sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 0

$ sudo sysctl net.ipv6.conf.all.forwarding

net.ipv6.conf.all.forwarding = 0

If the IP forwarding value is "1" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure OL 8 to not allow packet forwarding unless the system is a router with the following commands:

$ sudo sysctl -w net.ipv4.ip_forward=0

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

If "0" is not the system's default value, add or update the following lines in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":

net.ipv4.ip_forward=0

net.ipv6.conf.all.forwarding=0
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.