The operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.

From Solaris 11 SPARC Security Technical Implementation Guide

Part of SRG-OS-000248

Associated with: CCI-001436

SV-61099r1_rule The operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.

Vulnerability discussion

Organization-defined networking protocols can be limited through the use of the host-based firewall.

Check content

The IP Filter Management profile is required. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 this is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding.

Fix text

The root role is required. Configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer