UCF STIG Viewer Logo

The system must prevent local applications from generating source-routed packets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216157 SOL-11.1-050370 SV-216157r603268_rule Low
Description
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
STIG Date
Solaris 11 X86 Security Technical Implementation Guide 2021-11-23

Details

Check Text ( C-17395r372853_chk )
Determine the OS version you are currently securing.
# uname –v

Solaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required.

Check the system for an IPF rule blocking outgoing source-routed packets.

# ipfstat -o

Examine the list for rules such as:
block out log quick from any to any with opt lsrr
block out log quick from any to any with opt ssrr

If the listed rules do not block both lsrr and ssrr options, this is a finding.

For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required.

Ensure that IP Options are not in use:
# pfctl -s rules | grep allow-opts

If any output is returned, this is a finding.
Fix Text (F-17393r372854_fix)
The root role is required.

# pfedit /etc/ipf/ipf.conf

For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter dd rules to block outgoing source-routed packets, such as:

block out log quick all with opt lsrr
block out log quick all with opt ssrr

Reload the IPF rules.

# ipf -Fa -A -f /etc/ipf/ipf.conf

For Solaris 11.3 or newer that use Packet Filter remove or modify any rules that include "allow-opts".

Reload the Packet Filter rules:
# svcadm refresh firewall:default