STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

DISA Rule

SV-216237r603268_rule

Vulnerability Number

V-216237

Group Title

SRG-OS-000142

Rule Version

SOL-11.1-090280

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

The Network Management profile is required.

Set each link’s speed-duplex protection to an appropriate value based on each configured network interface’s POSSIBLE settings.

Determine the OS version you are currently securing:

# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:

# pfexec dladm set-linkprop -p en_1000fdx_cap=1 net1

For Solaris 11.4 or newer:

# pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net1

Check Contents

Determine active Ethernet interfaces and note each LINK name and SPEED-DUPLEX:

# dladm show-ether -Z | egrep "LINK|up"

LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE
net0 current up yes 1G-f bi
net1 current up yes 100m-f bi

Determine the OS version you are currently securing:

# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:

# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 en_1000fdx_cap rw 1 1 0 1,0
net0 en_1000hdx_cap r- 0 0 0 1,0
net0 en_100fdx_cap rw 1 1 1 1,0
net0 en_100hdx_cap rw 1 1 1 1,0
net0 en_10fdx_cap rw 1 1 1 1,0
net0 en_10gfdx_cap -- -- -- 0 1,0
net0 en_10hdx_cap rw 1 1 1 1,0
net0 en_25gfdx_cap -- -- -- 0 1,0
net0 en_40gfdx_cap -- -- -- 0 1,0

# dladm show-linkprop net1 | egrep "LINK|en_" | sort|uniq

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net1 en_1000fdx_cap rw 0 0 0 1,0
net1 en_1000hdx_cap r- 0 0 0 1,0
net1 en_100fdx_cap rw 1 1 1 1,0
net1 en_100hdx_cap rw 1 1 1 1,0
net1 en_10fdx_cap rw 1 1 1 1,0
net1 en_10gfdx_cap -- -- -- 0 1,0
net1 en_10hdx_cap rw 1 1 1 1,0
net1 en_25gfdx_cap -- -- -- 0 1,0
net1 en_40gfdx_cap -- -- -- 0 1,0

For Solaris 11.4 or newer:

# dladm show-linkprop -p speed-duplex net0

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 100m-f, 1g-f,100m-f,
100m-h, 100m-h, 100m-h, 100m-h,10m-f,
10m-f,10m-h 10m-f,10m-h 10m-f, 10m-h
10m-h

# dladm show-linkprop -p speed-duplex net1

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net1 speed-duplex rw 100m-f 100m-f 100m-f, 1g-f,100m-f,
100m-h, 100m-h,10m-f,
10m-f, 10m-h
10m-h

For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.

Vulnerability Number

V-216237

Documentable

False

Rule Version

SOL-11.1-090280

Severity Override Guidance

Determine active Ethernet interfaces and note each LINK name and SPEED-DUPLEX:

# dladm show-ether -Z | egrep "LINK|up"

LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE
net0 current up yes 1G-f bi
net1 current up yes 100m-f bi

Determine the OS version you are currently securing:

# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:

# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 en_1000fdx_cap rw 1 1 0 1,0
net0 en_1000hdx_cap r- 0 0 0 1,0
net0 en_100fdx_cap rw 1 1 1 1,0
net0 en_100hdx_cap rw 1 1 1 1,0
net0 en_10fdx_cap rw 1 1 1 1,0
net0 en_10gfdx_cap -- -- -- 0 1,0
net0 en_10hdx_cap rw 1 1 1 1,0
net0 en_25gfdx_cap -- -- -- 0 1,0
net0 en_40gfdx_cap -- -- -- 0 1,0

# dladm show-linkprop net1 | egrep "LINK|en_" | sort|uniq

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net1 en_1000fdx_cap rw 0 0 0 1,0
net1 en_1000hdx_cap r- 0 0 0 1,0
net1 en_100fdx_cap rw 1 1 1 1,0
net1 en_100hdx_cap rw 1 1 1 1,0
net1 en_10fdx_cap rw 1 1 1 1,0
net1 en_10gfdx_cap -- -- -- 0 1,0
net1 en_10hdx_cap rw 1 1 1 1,0
net1 en_25gfdx_cap -- -- -- 0 1,0
net1 en_40gfdx_cap -- -- -- 0 1,0

For Solaris 11.4 or newer:

# dladm show-linkprop -p speed-duplex net0

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 100m-f, 1g-f,100m-f,
100m-h, 100m-h, 100m-h, 100m-h,10m-f,
10m-f,10m-h 10m-f,10m-h 10m-f, 10m-h
10m-h

# dladm show-linkprop -p speed-duplex net1

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net1 speed-duplex rw 100m-f 100m-f 100m-f, 1g-f,100m-f,
100m-h, 100m-h,10m-f,
10m-f, 10m-h
10m-h

For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.

Check Content Reference

M

Target Key

4021

Comments