Verify Any Configured IPSec Tunnel Connections

An XCCDF Rule

Description

Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection.

warning alert: Warning

Automatic remediation of this control is not available due to the unique requirements of each system.

Rationale

IP tunneling mechanisms can be used to bypass network filtering.

ID: xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels
Severity: Medium
References: 1 12 13 14 15 16 18 4 6 8 9

APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02

CCI-000336

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.2.3.4 4.3.3.4 4.4.3.3

SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-17(a) AC-4 CM-6(a) MA-4(6) SC-8

DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4

SRG-OS-000480-GPOS-00227
Updated: about 1 year ago