Bug 972513 - The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
Summary: The system must use a reverse-path filter for IPv4 network traffic when possi...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: initscripts
Version: 6.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukáš Nykrýn
QA Contact: qe-baseos-daemons
Depends On: 972512
Blocks: 972517
TreeView+ depends on / blocked
Reported: 2013-06-09 19:50 UTC by Jason Pyeron
Modified: 2016-11-25 13:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-06-13 14:20:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
RHEL6 STIG patch (451 bytes, patch)
2013-06-09 19:50 UTC, Jason Pyeron
no flags Details | Diff
specfile patch (1.31 KB, patch)
2013-06-09 19:51 UTC, Jason Pyeron
no flags Details | Diff

Description Jason Pyeron 2013-06-09 19:50:10 UTC
Created attachment 758910 [details]
RHEL6 STIG patch

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

perform a yum install

Actual results:

root@test /tmp/setup
# sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 0

Expected results:

$ sysctl net.ipv4.conf.all.rp_filter

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html

Comment 1 Jason Pyeron 2013-06-09 19:51:51 UTC
Created attachment 758911 [details]
specfile patch

Comment 3 Václav Pavlín 2013-06-13 14:20:56 UTC
Hi, this bug changes the default behaviour of the system and we don't think it is appropriate to do this in a midstream RHEL 6 release.

Note You need to log in before you can comment on or make changes to this bug.