SOL-11.1-090280 - The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Information

In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

The Network Management profile is required.

Set each link's speed-duplex protection to an appropriate value based on each configured network interface's POSSIBLE settings.

Determine the OS version that is being secured:

# uname -a

For Solaris 11, 11.1, 11.2, and 11.3:

# pfexec dladm set-linkprop -p en_1000fdx_cap=1 net0

Verify EFFECTIVE column
# dladm show-linkprop net0 | egrep 'LINK|en_' | sort|uniq
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 en_1000fdx_cap rw 1 1 1 1,0
net0 en_1000hdx_cap r- 0 0 0 1,0
net0 en_100fdx_cap rw 1 1 1 1,0
net0 en_100hdx_cap rw 1 1 1 1,0
net0 en_10fdx_cap rw 1 1 1 1,0
net0 en_10gfdx_cap -- -- -- 0 1,0
net0 en_10hdx_cap rw 1 1 1 1,0

Do the above for all available/connected network adapters.

For Solaris 11.4.x or newer:

# pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net0

Verify EFFECTIVE column
# dladm show-linkprop -p speed-duplex net0
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
net0 speed-duplex rw 1g-f,100m-f 1g-f,100m-f 1g-f, 1g-f,100m-f,
100m-f, 100m-h,10m-f,
100m-h, 10m-h
10m-f,
10m-h

Do the above for all available/connected network adapters.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_SPARC_V3R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, Rule-ID|SV-216473r958528_rule, STIG-ID|SOL-11.1-090280, STIG-Legacy|SV-60771, STIG-Legacy|V-47899, Vuln-ID|V-216473

Plugin: Unix

Control ID: 0ea795e6754e2ad9f9b177e2aa45c8a378c84f95f701dbafe5ce6f8a0c247d09