CCI-001092 requires limiting the effects of a DoS attack. The referenced rules provide some protection agains these type of attacks.
Signed-off-by: Willy Santos <[email protected]> --- rhel6/src/input/system/network/iptables.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index d5ae221..df8f390 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -79,7 +79,7 @@ capability for IPv6 and ICMPv6. </rationale> <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" disa="1115,1118"/> +<ref nist="CM-6, CM-7" disa="1115,1118,1092"/> </Rule> <Rule id="enable_iptables"> @@ -95,7 +95,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" disa="1115,1118" /> +<ref nist="CM-6, CM-7" disa="1115,1118,1092" /> </Rule> </Group><!--<Group id="iptables_activation">--> @@ -188,7 +188,7 @@ could add another IPv6 address to the interface or alter important network setti ation of IPv6 depends heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</rationale> <!--<ident cce="14264-6" />--> <oval id="iptables_icmp_disabled" /> -<ref nist="AC-4, CM-6" /> +<ref nist="AC-4, CM-6" disa="1092" /> </Rule> <Rule id="iptables_log_and_drop_suspicious"> -- 1.7.7.6 _______________________________________________ scap-security-guide mailing list [email protected] https://fedorahosted.org/mailman/listinfo/scap-security-guide
