{"description": "To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.tcp_syncookies = 1</pre>", "rationale": "A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests.", "severity": "medium", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "18", "2", "4", "6", "7", "8", "9"], "cjis": ["5.10.1.1"], "cobit5": ["APO01.06", "APO13.01", "BAI04.04", "DSS01.03", "DSS01.05", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.04", "DSS05.07", "DSS06.02"], "cui": ["3.1.20"], "isa-62443-2009": ["4.2.3.4", "4.3.3.4", "4.4.3.3"], "isa-62443-2013": ["SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.2", "SR 7.1", "SR 7.2", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.1", "A.12.1.2", "A.12.1.3", "A.13.1.1", "A.13.1.2", "A.13.1.3", "A.13.2.1", "A.13.2.2", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.17.2.1", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-7(a)", "CM-7(b)", "SC-5(1)", "SC-5(2)", "SC-5(3)(a)", "CM-6(a)"], "nist-csf": ["DE.AE-1", "DE.CM-1", "ID.AM-3", "PR.AC-5", "PR.DS-4", "PR.DS-5", "PR.PT-4"], "pcidss": ["Req-1.4.1"], "srg": ["SRG-OS-000480-GPOS-00227", "SRG-OS-000420-GPOS-00186", "SRG-OS-000142-GPOS-00071"], "anssi": ["R12"], "cis": ["3.3.10"], "pcidss4": ["1.4.3", "1.4"], "stigid": ["UBTU-22-253010"], "stigref": ["SV-260522r958528_rule"]}, "control_references": {"anssi": ["R12"], "cis": ["3.3.10"], "pcidss4": ["1.4.3", "1.4"], "stigid": ["UBTU-22-253010"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl net.ipv4.tcp_syncookies</pre>\n<code>1</code>.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use TCP syncookies.\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\n net.ipv4.tcp_syncookies = 1\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must be configured to use TCP syncookies.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured to use TCP syncookies.", "vuldiscussion": "Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.", "checktext": "Verify Ubuntu 22.04 is configured to use IPv4 TCP syncookies.\n\nDetermine if syncookies are used with the following command:\n\nCheck the status of the kernel.perf_event_paranoid kernel parameter.\n\n$ sudo sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.tcp_syncookies | tail -1\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the network parameter \"ipv4.tcp_syncookies\" is not equal to \"1\" or nothing is returned, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to use TCP syncookies.\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\n net.ipv4.tcp_syncookies = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "check-export": ["sysctl_net_ipv4_tcp_syncookies_value=xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv4_tcp_syncookies.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv4_tcp_syncookies.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv4.tcp_syncookies", "datatype": "int"}, "backends": {}}}