The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

An XCCDF Rule

Description

<VulnDiscussion>In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216237r958528_rule
Severity: Medium
References: CCI-001095
Updated: 17 days ago

The Network Management profile is required.

Set each link's speed-duplex protection to an appropriate value based on each configured network interface's POSSIBLE settings.

Determine the OS version that is being secured:
# uname -a

For Solaris 11, 11.1, 11.2, and 11.3:

# pfexec dladm set-linkprop -p en_1000fdx_cap=1 net0

Verify EFFECTIVE column
# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     en_1000fdx_cap  rw   1            1            1         1,0
net0     en_1000hdx_cap  r-   0            0            0         1,0
net0     en_100fdx_cap   rw   1            1            1         1,0
net0     en_100hdx_cap   rw   1            1            1         1,0
net0     en_10fdx_cap    rw   1            1            1         1,0
net0     en_10gfdx_cap   --   --           --           0         1,0
net0     en_10hdx_cap    rw   1            1            1         1,0

Do the above for all available/connected network adapters.

For Solaris 11.4.x or newer:

# pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net0

Verify EFFECTIVE column
# dladm show-linkprop -p speed-duplex net0
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     speed-duplex    rw   1g-f,100m-f  1g-f,100m-f  1g-f,     1g-f,100m-f,
                                                        100m-f,   100m-h,10m-f,
                                                        100m-h,   10m-h
                                                        10m-f,
                                                        10m-h

Do the above for all available/connected network adapters.

The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Description

Remediation - Manual Procedure