← Rules Catalog
mediumnetworkunverified

Ensure no unauthorized IP tunnels are configured

ipsec-tunnels-authorized · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must not have unauthorized IPsec/IP tunnels configured. When the IPsec service is inactive with no configured connections there are no tunnels; when tunnels are configured, each must be documented and approved by the ISSO (manual verification).

Rationale

Unauthorized IP tunnels can bypass network boundary protections and exfiltrate data or provide covert command-and-control channels. Every configured tunnel must be reviewed against the approved architecture.

Check → Remediate

Checkcommand
if ! systemctl is-active ipsec >/dev/null 2>&1; then
  echo "OK: the IPsec service is inactive; no IP tunnels are configured"
  exit 0
fi
conns=$(grep -rIniE '^[[:space:]]*conn[[:space:]]' /etc/ipsec.conf /etc/ipsec.d/ 2>/dev/null \
          | grep -viE 'conn[[:space:]]+%default')
if [ -z "$conns" ]; then
  echo "OK: IPsec is active but no tunnel connections are configured"
  exit 0
fi
echo "MANUAL REVIEW REQUIRED: IPsec tunnel connections are configured — verify each is documented and approved by the ISSO. Any active, unapproved tunnel is a finding:"
echo "$conns"
exit 0
expected_exit:
0
Remediatemanual
note:
Remove any undocumented or unapproved IPsec connection from /etc/ipsec.conf and /etc/ipsec.d/*.conf, or document and obtain ISSO approval for each required tunnel.

Framework references

STIG

V-281339 / RHEL-10-800070

NIST 800-53

CM-7SC-7
#network#ipsec#tunnel#stig#manual