{"description": "To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.ip_forward = 0</pre>", "rationale": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this capability is used when\nnot required, system network information may be unnecessarily transmitted across\nthe network.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "2", "3", "7", "8", "9"], "cobit5": ["APO13.01", "BAI04.04", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.03", "DSS03.05", "DSS05.02", "DSS05.05", "DSS05.07", "DSS06.06"], "cui": ["3.1.20"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.2", "SR 7.1", "SR 7.2", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.1.3", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.17.2.1", "A.9.1.2"], "nerc-cip": ["CIP-007-3 R4", "CIP-007-3 R4.1", "CIP-007-3 R4.2", "CIP-007-3 R5.1"], "nist": ["CM-7(a)", "CM-7(b)", "SC-5", "CM-6(a)", "SC-7(a)"], "nist-csf": ["DE.CM-1", "PR.DS-4", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "pcidss": ["Req-1.3.1", "Req-1.3.2"], "srg": ["SRG-OS-000480-GPOS-00227"], "anssi": ["R12"], "cis": ["3.3.1"], "pcidss4": ["1.4.3", "1.4"]}, "control_references": {"anssi": ["R12"], "cis": ["3.3.1"], "pcidss4": ["1.4.3", "1.4"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl net.ipv4.ip_forward</pre>\n<code>0</code>.\nThe ability to forward packets is only appropriate for routers.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to not allow IPv4 packet forwarding, unless the system is a router.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not enable IPv4 packet forwarding unless the system is a router.", "warnings": [{"functionality": "Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.\nDisabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in\nprofiles or benchmarks that target usage of IPv4 forwarding."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not enable IPv4 packet forwarding unless the system is a router.", "vuldiscussion": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this capability is used when\nnot required, system network information may be unnecessarily transmitted across\nthe network.", "checktext": "Verify Ubuntu 22.04 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\n\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | grep -Ev '^(#|$)' | grep -F net.ipv4.conf.all.forwarding | tail -1\n\nnet.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to not allow IPv4 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a single system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.forwarding = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv4_ip_forward.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv4_ip_forward.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv4.ip_forward", "sysctlval": "0", "datatype": "int"}, "backends": {}}}