mediumnetworkunverified
Ensure no unauthorized IP tunnels are configured
ipsec-tunnels-authorized · RHEL ≥ 10 · 1 impl
Description
RHEL 10 must not have unauthorized IPsec/IP tunnels configured. When the IPsec service is inactive with no configured connections there are no tunnels; when tunnels are configured, each must be documented and approved by the ISSO (manual verification).
Rationale
Unauthorized IP tunnels can bypass network boundary protections and exfiltrate data or provide covert command-and-control channels. Every configured tunnel must be reviewed against the approved architecture.
Check → Remediate
Checkcommand
if ! systemctl is-active ipsec >/dev/null 2>&1; then
echo "OK: the IPsec service is inactive; no IP tunnels are configured"
exit 0
fi
conns=$(grep -rIniE '^[[:space:]]*conn[[:space:]]' /etc/ipsec.conf /etc/ipsec.d/ 2>/dev/null \
| grep -viE 'conn[[:space:]]+%default')
if [ -z "$conns" ]; then
echo "OK: IPsec is active but no tunnel connections are configured"
exit 0
fi
echo "MANUAL REVIEW REQUIRED: IPsec tunnel connections are configured — verify each is documented and approved by the ISSO. Any active, unapproved tunnel is a finding:"
echo "$conns"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Remove any undocumented or unapproved IPsec connection from /etc/ipsec.conf and /etc/ipsec.d/*.conf, or document and obtain ISSO approval for each required tunnel.
Framework references
STIG
V-281339 / RHEL-10-800070
NIST 800-53
CM-7SC-7
#network#ipsec#tunnel#stig#manual