← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-4398

CAT II (Medium)

A system used for routing must not run other network services or applications.

Rule ID

SV-46112r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-001208

Discussion

Installing extraneous software on a system designated as a dedicated router poses a security threat to the system and the network. Should an attacker gain access to the router through the unauthorized software, the entire network is susceptible to malicious activity.

Check Content

If the system is a VM host and acts as a router solely for the benefit of its client systems, then this rule is not applicable.
Ask the SA if the system is a designated router. If it is not, this is not applicable.

Check the system for non-routing network services.

Procedure:
# netstat -a | grep -i listen
# ps -ef

If non-routing services, including Web servers, file servers, DNS servers, or applications servers, but excluding management services such as SSH and SNMP, are running on the system, this is a finding.

Fix Text

Ensure only authorized software is loaded on a designated router. Authorized software will be limited to the most current version of routing protocols and SSH for system administration purposes.