The DHCP client must be disabled if not needed.

From Red Hat Enterprise Linux 6 Security Technical Implementation Guide

Part of SRG-OS-999999

Associated with: CCI-000366

SV-50480r3_rule The DHCP client must be disabled if not needed.

Vulnerability discussion

DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.

Check content

If DHCP is required by the organization, this is Not Applicable. For each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not being used: # cat /etc/sysconfig/network-scripts/ifcfg-[IFACE] | grep -i “bootproto” | grep –v “#” BOOTPROTO=none If no output is returned this is a finding. If BOOTPROTO is not set to ”none”, this is a finding.

Fix text

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer