Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-12001 | GEN003580 | SV-35010r1_rule | ECSC-1 | Medium |
| Description |
|---|
| One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection originator. If the initial TCP sequence numbers for a host can be determined by an attacker, it may be possible to establish a TCP connection from a spoofed source address without bidirectional communication. |
| STIG | Date |
|---|---|
| HP-UX 11.31 Security Technical Implementation Guide | 2017-12-08 |
Details
| Check Text ( C-36499r1_chk ) |
|---|
| # ndd -get /dev/tcp tcp_isn_passphrase If the value 1 is not returned, this is a finding. |
| Fix Text (F-31854r1_fix) |
|---|
| # ndd -set /dev/tcp tcp_isn_passphrase Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = tcp NDD_NAME[x] = tcp_isn_passphrase NDD_VALUE[x] = |