Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must prevent local applications from generating source-routed packets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-216394 | SOL-11.1-050370 | SV-216394r959010_rule | Low |
| Description |
|---|
| Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. |
| STIG | Date |
|---|---|
| Solaris 11 SPARC Security Technical Implementation Guide | 2024-05-30 |
Details
| Check Text ( C-17630r371270_chk ) |
|---|
| Determine the OS version you are currently securing. # uname –v Solaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required. Check the system for an IPF rule blocking outgoing source-routed packets. # ipfstat -o Examine the list for rules such as: block out log quick from any to any with opt lsrr block out log quick from any to any with opt ssrr If the listed rules do not block both lsrr and ssrr options, this is a finding. For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required. Ensure that IP Options are not in use: # pfctl -s rules | grep allow-opts If any output is returned, this is a finding. |
| Fix Text (F-17628r371271_fix) |
|---|
| The root role is required. # pfedit /etc/ipf/ipf.conf For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter dd rules to block outgoing source-routed packets, such as: block out log quick all with opt lsrr block out log quick all with opt ssrr Reload the IPF rules. # ipf -Fa -A -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter remove or modify any rules that include "allow-opts". Reload the Packet Filter rules: # svcadm refresh firewall:default |