RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces.

STIG ID: RHEL-10-800130  |  SRG: SRG-OS-000420-GPOS-00186 |  Severity: medium (CAT II)  |  CCI: CCI-002385,CCI-001100 |  Vulnerability Id: V-281345

Vulnerability Discussion

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.

Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00076

Check

Verify RHEL 10 uses reverse path filtering on all IPv4 interfaces.

Check the value of the "net.ipv4.conf.all.rp_filter" variable with the following command:

$ sudo sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 1

If "net.ipv4.conf.all.rp_filter" is not set to "1" or is missing, this is a finding.

Fix

Configure RHEL 10 to use reverse path filtering on all IPv4 interfaces.

Create a configuration file if it does not already exist:

$ sudo vi /etc/sysctl.d/99-ipv4_rp_filter.conf

Add the following line to the file:

net.ipv4.conf.all.rp_filter = 1

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.