UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216473 SOL-11.1-090280 SV-216473r603267_rule Medium
Description
In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2020-12-08

Details

Check Text ( C-36489r603070_chk )
Determine active Ethernet interfaces and note each LINK name and SPEED-DUPLEX:

# dladm show-ether -Z | egrep "LINK|up"

LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE
net0 current up yes 1G-f bi
net1 current up yes 100m-f bi

Determine the OS version you are currently securing:

# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:

# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 en_1000fdx_cap rw 1 1 0 1,0
net0 en_1000hdx_cap r- 0 0 0 1,0
net0 en_100fdx_cap rw 1 1 1 1,0
net0 en_100hdx_cap rw 1 1 1 1,0
net0 en_10fdx_cap rw 1 1 1 1,0
net0 en_10gfdx_cap -- -- -- 0 1,0
net0 en_10hdx_cap rw 1 1 1 1,0
net0 en_25gfdx_cap -- -- -- 0 1,0
net0 en_40gfdx_cap -- -- -- 0 1,0

# dladm show-linkprop net1 | egrep "LINK|en_" | sort|uniq

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net1 en_1000fdx_cap rw 0 0 0 1,0
net1 en_1000hdx_cap r- 0 0 0 1,0
net1 en_100fdx_cap rw 1 1 1 1,0
net1 en_100hdx_cap rw 1 1 1 1,0
net1 en_10fdx_cap rw 1 1 1 1,0
net1 en_10gfdx_cap -- -- -- 0 1,0
net1 en_10hdx_cap rw 1 1 1 1,0
net1 en_25gfdx_cap -- -- -- 0 1,0
net1 en_40gfdx_cap -- -- -- 0 1,0

For Solaris 11.4 or newer:

# dladm show-linkprop -p speed-duplex net0

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 100m-f, 1g-f,100m-f,
100m-h, 100m-h, 100m-h, 100m-h,10m-f,
10m-f,10m-h 10m-f,10m-h 10m-f, 10m-h
10m-h

# dladm show-linkprop -p speed-duplex net1

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net1 speed-duplex rw 100m-f 100m-f 100m-f, 1g-f,100m-f,
100m-h, 100m-h,10m-f,
10m-f, 10m-h
10m-h

For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.
Fix Text (F-36453r603071_fix)
The Network Management profile is required.

Set each link’s speed-duplex protection to an appropriate value based on each configured network interface’s POSSIBLE settings.

Determine the OS version you are currently securing:

# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:

# pfexec dladm set-linkprop -p en_1000fdx_cap=1 net1

For Solaris 11.4 or newer:

# pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net1