RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.

STIG ID: RHEL-10-800210  |  SRG: SRG-OS-000420-GPOS-00186 |  Severity: medium (CAT II)  |  CCI: CCI-002385,CCI-001108 |  Vulnerability Id: V-281353

Vulnerability Discussion

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be transmitted unnecessarily across the network.

Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00084

Check

Verify RHEL 10 is not performing IPv4 packet forwarding unless the system is a router.

Check that "net.ipv4.conf.all.forwarding" is disabled using the following command:

$ sudo sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 0

If "net.ipv4.conf.all.forwarding" is not set to "0" and is not documented with the information system security officer as an operational requirement or is missing, this is a finding.

Fix

Configure RHEL 10 to not allow IPv4 packet forwarding unless the system is a router.

Create a configuration file if it does not already exist:

$ sudo vi /etc/sysctl.d/ipv4_forwarding.conf

Add the following line to the file:

net.ipv4.conf.all.forwarding = 0

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.