STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The system must prevent local applications from generating source-routed packets.

DISA Rule

SV-216157r603268_rule

Vulnerability Number

V-216157

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-050370

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

The root role is required.

# pfedit /etc/ipf/ipf.conf

For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter dd rules to block outgoing source-routed packets, such as:

block out log quick all with opt lsrr
block out log quick all with opt ssrr

Reload the IPF rules.

# ipf -Fa -A -f /etc/ipf/ipf.conf

For Solaris 11.3 or newer that use Packet Filter remove or modify any rules that include "allow-opts".

Reload the Packet Filter rules:
# svcadm refresh firewall:default

Check Contents

Determine the OS version you are currently securing.
# uname –v

Solaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required.

Check the system for an IPF rule blocking outgoing source-routed packets.

# ipfstat -o

Examine the list for rules such as:
block out log quick from any to any with opt lsrr
block out log quick from any to any with opt ssrr

If the listed rules do not block both lsrr and ssrr options, this is a finding.

For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required.

Ensure that IP Options are not in use:
# pfctl -s rules | grep allow-opts

If any output is returned, this is a finding.

Vulnerability Number

V-216157

Documentable

False

Rule Version

SOL-11.1-050370

Severity Override Guidance

Determine the OS version you are currently securing.
# uname –v

Solaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required.

Check the system for an IPF rule blocking outgoing source-routed packets.

# ipfstat -o

Examine the list for rules such as:
block out log quick from any to any with opt lsrr
block out log quick from any to any with opt ssrr

If the listed rules do not block both lsrr and ssrr options, this is a finding.

For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required.

Ensure that IP Options are not in use:
# pfctl -s rules | grep allow-opts

If any output is returned, this is a finding.

Check Content Reference

M

Target Key

4021

Comments