Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-215429 | AIX7-00-003134 | SV-215429r508663_rule | Medium |
Description |
---|
The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. |
STIG | Date |
---|---|
IBM AIX 7.x Security Technical Implementation Guide | 2021-03-10 |
Check Text ( C-16627r294738_chk ) |
---|
From the command prompt, run the following command to check if "ipsec_v4" and "ipsec_v6" devices are active: # lsdev -Cc ipsec The above command should yield the following output: ipsec_v4 Available IP Version 4 Security Extension ipsec_v6 Available IP Version 6 Security Extension If "ipsec_v4" or "ipsec_v6" is not displayed, or it is not in "Available" state, this is a finding. Determine if the system is configured to respond to ICMP Timestamp requests using the following command: # lsfilt Beginning of IPv4 filter rules. Rule 1: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : udp Source Port : eq 4001 Destination Port : eq 4001 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : yes Expiration Time : 0 Description : Default Rule Rule 2: *** Dynamic filter placement rule for IKE tunnels *** Logging control : no Rule 3: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : icmp ICMP type : any 0 ICMP code : eq 13 Scope : both Direction : inbound Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Rule 4: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : icmp ICMP type : eq 14 ICMP code : any 0 Scope : both Direction : outbound Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Rule 0: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Default Rule End of IPv4 filter rules. If there is no rule blocking ICMP packet type of "13" and ICMP packet type of "14" (rule #3 and rule #4 above), this is a finding. |
Fix Text (F-16625r294739_fix) |
---|
From the command prompt, run the following commands to create and activate "ipsec_v4" and "ipsec_v6" devices: # mkdev -l ipsec -t 4 # mkdev -l ipsec -t 6 Run the following commands to create 2 IPsec rules to block the ICMP timestamp request and reply: # genfilt -v 4 -a D -s 0 -m 0 -d 0 -M 0 -c icmp -O eq -P 13 -r B -w I -i all # genfilt -v 4 -a D -s 0 -m 0 -d 0 -M 0 -c icmp -o eq -p 14 -r B -w O -i all From the command prompt, run the following command to activate all the filter rules in the rule database: # mkfilt -u |