{"description": "To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.default.accept_source_route = 0</pre>", "rationale": "Source-routed packets allow the source of the packet to suggest routers\nforward the packet along a different path than configured on the router,\nwhich can be used to bypass network security measures.\n<br />\nAccepting source-routed packets in the IPv4 protocol has few legitimate\nuses. It should be disabled unless it is absolutely required, such as when\nIPv4 forwarding is enabled and the system is legitimately functioning as a\nrouter.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "2", "3", "4", "6", "7", "8", "9"], "cjis": ["5.10.1.1"], "cobit5": ["APO01.06", "APO13.01", "BAI04.04", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.03", "DSS01.05", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.02", "DSS06.06"], "cui": ["3.1.20"], "isa-62443-2009": ["4.2.3.4", "4.3.3.4", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3", "4.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.2", "SR 7.1", "SR 7.2", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.1", "A.12.1.2", "A.12.1.3", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.1.2", "A.13.1.3", "A.13.2.1", "A.13.2.2", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.17.2.1", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-007-3 R4", "CIP-007-3 R4.1", "CIP-007-3 R4.2", "CIP-007-3 R5.1"], "nist": ["CM-7(a)", "CM-7(b)", "SC-5", "SC-7(a)"], "nist-csf": ["DE.AE-1", "DE.CM-1", "ID.AM-3", "PR.AC-5", "PR.DS-4", "PR.DS-5", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "srg": ["SRG-OS-000480-GPOS-00227"], "anssi": ["R12"], "cis": ["3.3.8"]}, "control_references": {"anssi": ["R12"], "cis": ["3.3.8"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl net.ipv4.conf.default.accept_source_route</pre>\n<code>0</code>.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04  to not forward IPv4 source-routed packets by default.\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nnet.ipv4.conf.default.accept_source_route = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not forward IPv4 source-routed packets by default.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not forward IPv4 source-routed packets by default.", "vuldiscussion": "Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.\n\nAccepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.", "checktext": "Verify Ubuntu 22.04 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.accept_source_route | tail -1\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\" or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a single system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "check-export": ["sysctl_net_ipv4_conf_default_accept_source_route_value=xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv4_conf_default_accept_source_route.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv4_conf_default_accept_source_route.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv4.conf.default.accept_source_route", "datatype": "int"}, "backends": {}}}