AOSX-13-001195 - The macOS system must not accept source-routed IPv4 packets.

Information

A source-routed packet attempts to specify the network path the packet should take. If the system is not configured to block the incoming source-routed packets, an attacker can redirect the system's network traffic. Configuring the system to drop incoming source-routed IPv4 packets mitigates this risk.

Solution

To configure the system to not accept 'source-routed' packets, add the following line to '/etc/sysctl.conf', creating the file if necessary:

net.inet.ip.accept_sourceroute=0

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-13_V2R5_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-214909r609363_rule, STIG-ID|AOSX-13-001195, STIG-Legacy|SV-96411, STIG-Legacy|V-81697, Vuln-ID|V-214909

Plugin: Unix

Control ID: dd289841b81c5bf38b7107692991fe6b4e082b1331e67b9ffc28d7f3f4bbf435