{"description": "Libreswan provides an implementation of IPsec\nand IKE, which permits the creation of secure tunnels over\nuntrusted networks. As such, IPsec can be used to circumvent certain\nnetwork requirements such as filtering. Verify that if any IPsec connection\n(<tt>conn</tt>) configured in <tt>/etc/ipsec.conf</tt> and <tt>/etc/ipsec.d</tt>\nexists is an approved organizational connection.", "rationale": "IP tunneling mechanisms can be used to bypass network filtering.", "severity": "medium", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "18", "4", "6", "8", "9"], "cobit5": ["APO01.06", "APO13.01", "DSS01.05", "DSS03.01", "DSS05.02", "DSS05.04", "DSS05.07", "DSS06.02"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.2.3.4", "4.3.3.4", "4.4.3.3"], "isa-62443-2013": ["SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.1", "A.12.1.2", "A.13.1.1", "A.13.1.2", "A.13.1.3", "A.13.2.1", "A.13.2.2", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["AC-17(a)", "MA-4(6)", "CM-6(a)", "AC-4", "SC-8"], "nist-csf": ["DE.AE-1", "ID.AM-3", "PR.AC-5", "PR.DS-5", "PR.PT-4"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the IPSec tunnels are not approved", "ocil": "Verify that Ubuntu 22.04 does not have unauthorized IP tunnels configured.\n\n\n\nIf \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n\n# systemctl status ipsec\nipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\nLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\nActive: inactive (dead)\n\n\nIf the \"IPsec\" service is active, check for configured IPsec connections (<tt>conn</tt>), perform the following:\n<pre>grep -rni conn /etc/ipsec.conf /etc/ipsec.d/</pre>\nVerify any returned results for organizational approval.", "oval_external_content": null, "fixtext": "Remove all unapproved tunnels from the system, or document them with the ISSO.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Any IPSec Tunnel Connections on Ubuntu 22.04 must be approved.", "warnings": [{"general": "Automatic remediation of this control is not available due to the unique\nrequirements of each system."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not have unauthorized IP tunnels configured.", "vuldiscussion": "IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the information system security officer (ISSO).", "checktext": "Verify that Ubuntu 22.04 does not have unauthorized IP tunnels configured.\n\nDetermine if the \"IPsec\" service is active with the following command:\n\n$ systemctl is-active ipsec\n\nInactive\n\nIf the \"IPsec\" service is active, check for configured IPsec connections (\"conn\"), with the following command:\n\n$ sudo grep -rni conn /etc/ipsec.conf /etc/ipsec.d/\n\nVerify any returned results are documented with the ISSO.\n\nIf the IPsec tunnels are active and not approved, this is a finding.", "fixtext": "Remove all unapproved tunnels from the system, or document them with the ISSO."}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify Any Configured IPSec Tunnel Connections", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml", "template": null}