The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216237	SOL-11.1-090280	SV-216237r940018_rule		Medium

Description
In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2023-11-27

Details

Check Text ( C-36493r940017_chk )
Verify that you are on the global zone: # zoneadm -z global list global Note: If you see following message, you are not in the global zone: "zoneadm: global: No such zone exists" # dladm show-ether -Z \| egrep "LINK\|up" LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE net0 current up yes 1G-f bi Determine the OS version that is being secured: # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # dladm show-linkprop net0 \| egrep "LINK\|en_" \| sort\|uniq LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 en_1000fdx_cap rw 1 1 1 1,0 net0 en_1000hdx_cap r- 0 0 0 1,0 net0 en_100fdx_cap rw 1 1 1 1,0 net0 en_100hdx_cap rw 1 1 1 1,0 net0 en_10fdx_cap rw 1 1 1 1,0 net0 en_10gfdx_cap -- -- -- 0 1,0 net0 en_10hdx_cap rw 1 1 1 1,0 Do the above for all available/connected network adapters. For Solaris 11.4.x.x.x or newer: # dladm show-linkprop -p speed-duplex net0 LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 1g-f, 1g-f,100m-f, 100m-h, 100m-h, 100m-f, 100m-h,10m-f, 10m-f,10m-h 10m-f,10m-h 100m-h, 10m-h 10m-f, 10m-h Do the above for all available/connected network adapters. For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.

Check Text ( C-36493r940017_chk )

Verify that you are on the global zone:
# zoneadm -z global list
global

Note: If you see following message, you are not in the global zone:
"zoneadm: global: No such zone exists"

# dladm show-ether -Z | egrep "LINK|up"

LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE
net0 current up yes 1G-f bi

Determine the OS version that is being secured:

# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 en_1000fdx_cap rw 1 1 1 1,0
net0 en_1000hdx_cap r- 0 0 0 1,0
net0 en_100fdx_cap rw 1 1 1 1,0
net0 en_100hdx_cap rw 1 1 1 1,0
net0 en_10fdx_cap rw 1 1 1 1,0
net0 en_10gfdx_cap -- -- -- 0 1,0
net0 en_10hdx_cap rw 1 1 1 1,0

Do the above for all available/connected network adapters.

For Solaris 11.4.x.x.x or newer:

# dladm show-linkprop -p speed-duplex net0
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 1g-f, 1g-f,100m-f,
100m-h, 100m-h, 100m-f, 100m-h,10m-f,
10m-f,10m-h 10m-f,10m-h 100m-h, 10m-h
10m-f,
10m-h

Do the above for all available/connected network adapters.

For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.

Fix Text (F-36457r940018_fix)
The Network Management profile is required. Set each link's speed-duplex protection to an appropriate value based on each configured network interface's POSSIBLE settings. Determine the OS version that is being secured: # uname -a For Solaris 11, 11.1, 11.2, and 11.3: # pfexec dladm set-linkprop -p en_1000fdx_cap=1 net0 Verify EFFECTIVE column # dladm show-linkprop net0 \| egrep "LINK\|en_" \| sort\|uniq LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 en_1000fdx_cap rw 1 1 1 1,0 net0 en_1000hdx_cap r- 0 0 0 1,0 net0 en_100fdx_cap rw 1 1 1 1,0 net0 en_100hdx_cap rw 1 1 1 1,0 net0 en_10fdx_cap rw 1 1 1 1,0 net0 en_10gfdx_cap -- -- -- 0 1,0 net0 en_10hdx_cap rw 1 1 1 1,0 Do the above for all available/connected network adapters. For Solaris 11.4.x or newer: # pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net0 Verify EFFECTIVE column # dladm show-linkprop -p speed-duplex net0 LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 speed-duplex rw 1g-f,100m-f 1g-f,100m-f 1g-f, 1g-f,100m-f, 100m-f, 100m-h,10m-f, 100m-h, 10m-h 10m-f, 10m-h Do the above for all available/connected network adapters.

Fix Text (F-36457r940018_fix)

The Network Management profile is required.

Set each link's speed-duplex protection to an appropriate value based on each configured network interface's POSSIBLE settings.

Determine the OS version that is being secured:

# uname -a

For Solaris 11, 11.1, 11.2, and 11.3:

# pfexec dladm set-linkprop -p en_1000fdx_cap=1 net0

Verify EFFECTIVE column
# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 en_1000fdx_cap rw 1 1 1 1,0
net0 en_1000hdx_cap r- 0 0 0 1,0
net0 en_100fdx_cap rw 1 1 1 1,0
net0 en_100hdx_cap rw 1 1 1 1,0
net0 en_10fdx_cap rw 1 1 1 1,0
net0 en_10gfdx_cap -- -- -- 0 1,0
net0 en_10hdx_cap rw 1 1 1 1,0

Do the above for all available/connected network adapters.

For Solaris 11.4.x or newer:

# pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net0

Verify EFFECTIVE column
# dladm show-linkprop -p speed-duplex net0
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 speed-duplex rw 1g-f,100m-f 1g-f,100m-f 1g-f, 1g-f,100m-f,
100m-f, 100m-h,10m-f,
100m-h, 10m-h
10m-f,
10m-h

Do the above for all available/connected network adapters.