UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48191 SOL-11.1-050470 SV-61063r1_rule Medium
Description
Manipulation of IP addresses can allow untrusted systems to appear as trusted hosts, bypassing firewall and other security mechanism and resulting in system penetration.
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2015-04-03

Details

Check Text ( C-50623r2_chk )
This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine if network link protection capabilities are enabled on each network interface.

# dladm show-linkprop -p protection
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net0 protection rw mac-nospoof, -- mac-nospoof,
restricted, restricted,
ip-nospoof, ip-nospoof,
dhcp-nospoof dhcp-nospoof

If mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the " VALUE" column, this is a finding.
Fix Text (F-51799r1_fix)
This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

The Network Link Security profile is required.

Determine which network interfaces are available and what protection modes are enabled.

Enable link protection on each configured network interface.

# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name]