{"description": "Create the file <tt>/etc/dhcp/dhclient.conf</tt>, and add an\nappropriate setting for each of the ten configuration settings which can be\nobtained via DHCP. For each setting, do one of the following:\n<br />\nIf the setting should <i>not</i> be configured remotely by the DHCP server,\nselect an appropriate static value, and add the line:\n<pre>supersede <tt>setting value</tt>;</pre>\nIf the setting should be configured remotely by the DHCP server, add the lines:\n<pre>request <tt>setting</tt>;\nrequire <tt>setting</tt>;</pre>\nFor example, suppose the DHCP server should provide only the IP address itself\nand the subnet mask. Then the entire file should look like:\n<pre>supersede domain-name \"example.com\";\nsupersede domain-name-servers 192.168.1.2;\nsupersede nis-domain \"\";\nsupersede nis-servers \"\";\nsupersede ntp-servers \"ntp.example.com \";\nsupersede routers 192.168.1.1;\nsupersede time-offset -18000;\nrequest subnet-mask;\nrequire subnet-mask;</pre>", "rationale": "By default, the DHCP client program, dhclient, requests and applies\nten configuration options (in addition to the IP address) from the DHCP server.\nsubnet-mask, broadcast-address, time-offset, routers, domain-name,\ndomain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers.  Many\nof the options requested and applied by dhclient may be the same for every\nsystem on a network. It is recommended that almost all configuration options be\nassigned statically, and only options which must vary on a host-by-host basis\nbe assigned via DHCP. This limits the damage which can be done by a rogue DHCP\nserver.  If appropriate for your site, it is also possible to supersede the\nhost-name directive in <tt>/etc/dhcp/dhclient.conf</tt>, establishing a static\nhostname for the system. However, dhclient does not use the host name option\nprovided by the DHCP server (instead using the value provided by a reverse DNS\nlookup).", "severity": "unknown", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "In this example, the options nis-servers and\nnis-domain are set to empty strings, on the assumption that the deprecated NIS\nprotocol is not in use. It is necessary to supersede settings for unused\nservices so that they cannot be set by a hostile DHCP server. If an option is\nset to an empty string, dhclient will typically not attempt to configure the\nservice."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Minimize the DHCP-Configured Options", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/dhcp/dhcp_client_configuration/dhcp_client_restrict_options/rule.yml", "template": null}