The draft release of the U.S. Defense Information Systems Agency's (DISA) “Red Hat 5 STIG” earlier this year has a few system administrators panicking.
For Red Hat Enterprise Linux 5 administrators, this Security Technical Implementation Guide (STIG) has supplanted the generic UNIX STIG.
The generic UNIX STIG had the single potential discrepancy indicator (PDI) “GEN003600 - Network Security Settings.” The checklist document required you to check four network settings in the running kernel. The new Red Hat 5 STIG, however, has many more settings and provides better explanations.
I would caution administrators from rushing to add all of these settings to your systems because most of these settings are defaults. Nonetheless, the settings must be implicitly set in the sysctl.conf configuration file. My recommendation is to review the entire STIG in order to define a complete sysctl.conf file, so that it can be deployed and tested all at once.
To help get you started with the new Red Hat 5 STIG, I have compiled a list of settings from the guideline as well as a few from the “National Security Agency Guide to the Secure Configuration of RHEL5.”
First of all, the ability to configure network interfaces should be limited to privileged users (GEN003581). This is achieved by setting “USERCTL” to “no” in the /etc/sysconfig/network-scripts/ifcfg* files.
The NSA configuration guide recommends disabling zero configuration networking (zeroconf); which is a set of techniques that automatically creates a usable Internet Protocol (IP) network without manual operator intervention or special configuration servers. To disable zeroconf, set “NOZEROCONF” to “yes” in the /etc/sysconfig/network file.
As before, IP forwarding [ip_forward] should be disabled (GEN005600) and the new guideline recommends not forwarding (GEN003600) or accepting (GEN003607) source-routed packets [accept_source_route] either.
The system must not respond to broadcast Internet Control Message Protocol (ICMP) echoes (GEN003603) or timestamp requests (GEN003604) [icmp_echo_ignore_braodcasts].
Furthermore, the system must ignore ICMP redirect messages (GEN003609) [accept_redirects] as well as not send ICMP redirects (GEN003610) [send_redirects]. Other guidelines recommend not accepting secure ICMP redirects [secure_redirects]. The secure redirect message is sent by a gateway that appears in the host's default gateway list.
To provide some mitigation to TCP denial of service attacks the guideline (GEN003601) recommends adjusting the TCP backlog queue size [tcp_max_syn_backlog]. Additionally (GEN003612), your system should be configured to send out requests [tcp_syncookies] to remote hosts if they are flooding your system’s backlog queue with SYN packets. These requests check whether or not the inbound SYN packets are legitimate.
Enabling TCP syncookies option on a system under normal load is useful. If your system is under high load it will make new connections but without advanced features such as explicit congestion notification (ECN) or selective acknowledgment (SACK).
To help mitigate the leaking of addressing information between attached network segments, the guideline (GEN003608) recommends disabling proxy Address Resolution Protocol (ARP) [proxy_arp].
The guideline (GEN003613) recommends the system perform source validation by reversed path [rp_filter]. When you enable reverse path source validation, inbound packets are dropped if the IP address from where the packets were received is not reachable (i.e., asymmetrical route).
It should be noted, however, that enabling this may cause problems in complex networks running a slow and unreliable protocol, using static routes, or where asymmetric routes are present. Asymmetric routes are not common, but may be necessary in certain cases. By default, Linux drops packets in which asymmetric routes are used because of the security risk.
It is also recommended (GEN003619) network bridging be disabled. This is usually a kernel module which can be checked with lsmod(8) command utility. To prevent it from loading, add the appropriate line for that module in the modprobe.conf file.
Finally, the guideline (GEN003611) recommends the kernel log all martian packets [log_martians]. Martian packets are packets which contain addresses known by the system to be invalid.
As I said earlier, many of these settings are kernel defaults. However, it is best to add the following settings into your /etc/sysctl.conf file:net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Now, you can execute /sbin/sysctl -p as root or reboot the system.
 Benvenuti, Christian. Understanding Linux Network Internals, Chapter 31. Sebastopol, CA: O'Reilly Media, Inc., 2006.
Cross-posted from Security Blanket Technical Blog
Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!