{"description": "The operating system must configure the uncomplicated firewall to\nrate-limit impacted network interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n<pre>$ sudo ss -l46ut\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*</pre>\n\nFor each entry, verify that the ufw is configured to rate limit the\nservice ports with the following command:\n<pre>$ sudo ufw status</pre>\n\nIf any port with a state of \"LISTEN\" is not marked with the \"LIMIT\"\naction, run the following command, replacing \"service\" with the\nservice that needs to be rate limited:\n<pre>$ sudo ufw limit \"service\"</pre>\n\nRate-limiting can also be done on an interface. An example of adding\na rate-limit on the eth0 interface follows:\n<pre>$ sudo ufw limit in on eth0</pre>", "rationale": "This requirement addresses the configuration of the operating system to\nmitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks\nmust be identified and solutions for each type implemented. A variety\nof technologies exist to limit or, in some cases, eliminate the effects\nof DoS attacks (e.g., limiting processes or establishing memory\npartitions). Employing increased capacity and bandwidth, combined with\nservice redundancy, may reduce the susceptibility to some DoS attacks.", "severity": "medium", "references": {"srg": ["SRG-OS-000420-GPOS-00186"], "stigid": ["UBTU-22-251025"], "stigref": ["SV-260517r958902_rule"]}, "control_references": {"stigid": ["UBTU-22-251025"]}, "components": [], "identifiers": {}, "ocil_clause": "network interface not rate-limit", "ocil": "Check all the services listening to the ports with the following\ncommand:\n<pre>$ sudo ss -l46ut\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*</pre>\n\nFor each entry, verify that the ufw is configured to rate limit the\nservice ports with the following command:\n<pre>$ sudo ufw status</pre>\n\nIf any port with a state of \"LISTEN\" is not marked with the \"LIMIT\"\naction, run the following command, replacing \"service\" with the\nservice that needs to be rate limited:\n<pre>$ sudo ufw limit \"service\"</pre>\n\nRate-limiting can also be done on an interface. An example of adding\na rate-limit on the eth0 interface follows:\n<pre>$ sudo ufw limit in on eth0</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {"platform": ["multi_platform_ubuntu"], "check-import": "stdout", "environment": "any", "filename": "ufw_rate_limit.sh", "relative_path": "ubuntu2204/checks/sce/ufw_rate_limit.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "ufw Must rate-limit network interfaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ufw/ufw_rate_limit/rule.yml", "template": null}