STIGQter STIGQter: STIG Summary: CA API Gateway NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Sep 2016:

The CA API Gateway must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the CA API Gateway management network by employing organization-defined security safeguards.

DISA Rule

SV-86185r1_rule

Vulnerability Number

V-71561

Group Title

SRG-APP-000435-NDM-000315

Rule Version

CAGW-DM-000310

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the "iptables" file is not consistent, replace it with one from the distribution RPM. You may need to add additional permissions if some services are required.

Check Contents

Verify the CA API Gateway drops packets by default and only puts non-Gateway services on trusted interfaces.

Check for the following lines in "/etc/sysconfig/iptables":
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Check for the following lines in "/etc/sysconfig/ip6tables":
:INPUT DROP [0:0]
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

If the CA API Gateway does not drop packets by default or puts non-Gateway services on untrusted interfaces, this is a finding.

Verify the CA API Gateway logs and drops TCP packets with bad flags.

Check for the following lines in "/etc/sysconfig/iptables":
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j badflags
[0:0] -A badflags -m limit --limit 15/min -j LOG --log-prefix "Badflags:"
[0:0] -A badflags -j DROP

Check for the following lines in "/etc/sysconfig/ip6tables":
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j badflags6
[0:0] -A badflags6 -m limit --limit 15/min -j LOG --log-prefix "Badflags6:"
[0:0] -A badflags6 -j DROP

If the CA API Gateway does not log and drop TCP packets with bad flags, this is a finding.

Verify the CA API Gateway only allows certain ICMPs and rate limits pings.

Check for the following lines in "/etc/sysconfig/iptables":
[0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
[0:0] -A INPUT -p icmp -j badflags
[0:0] -A OUTPUT -p icmp -m state --state INVALID -j DROP

Check for the following lines in "/etc/sysconfig/ip6tables":
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 1 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 3 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 129 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 128 -m limit --limit 2/sec -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 133 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 134 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 135 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 136 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 137 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -j badflags6

If the CA API Gateway does not only allow certain ICMPs and rate limits pings, this is a finding.

Vulnerability Number

V-71561

Documentable

False

Rule Version

CAGW-DM-000310

Severity Override Guidance

Verify the CA API Gateway drops packets by default and only puts non-Gateway services on trusted interfaces.

Check for the following lines in "/etc/sysconfig/iptables":
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Check for the following lines in "/etc/sysconfig/ip6tables":
:INPUT DROP [0:0]
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth3 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

If the CA API Gateway does not drop packets by default or puts non-Gateway services on untrusted interfaces, this is a finding.

Verify the CA API Gateway logs and drops TCP packets with bad flags.

Check for the following lines in "/etc/sysconfig/iptables":
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j badflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j badflags
[0:0] -A badflags -m limit --limit 15/min -j LOG --log-prefix "Badflags:"
[0:0] -A badflags -j DROP

Check for the following lines in "/etc/sysconfig/ip6tables":
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j badflags6
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j badflags6
[0:0] -A badflags6 -m limit --limit 15/min -j LOG --log-prefix "Badflags6:"
[0:0] -A badflags6 -j DROP

If the CA API Gateway does not log and drop TCP packets with bad flags, this is a finding.

Verify the CA API Gateway only allows certain ICMPs and rate limits pings.

Check for the following lines in "/etc/sysconfig/iptables":
[0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
[0:0] -A INPUT -p icmp -j badflags
[0:0] -A OUTPUT -p icmp -m state --state INVALID -j DROP

Check for the following lines in "/etc/sysconfig/ip6tables":
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 1 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 3 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 129 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 128 -m limit --limit 2/sec -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 133 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 134 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 135 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 136 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 137 -j ACCEPT
[0:0] -A INPUT -p icmpv6 -j badflags6

If the CA API Gateway does not only allow certain ICMPs and rate limits pings, this is a finding.

Check Content Reference

M

Target Key

3051

Comments