Rules Related To 'dhcp'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Minimize the DHCP-Configured Options

dhcp_client_restrict_options

Description

Create the file /etc/dhcp/dhclient.conf, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the following:
If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line:

supersede setting value;
If the setting should be configured remotely by the DHCP server, add the lines:
request setting;
require setting;
For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like:
supersede domain-name "example.com";
supersede domain-name-servers 192.168.1.2;
supersede nis-domain "";
supersede nis-servers "";
supersede ntp-servers "ntp.example.com ";
supersede routers 192.168.1.1;
supersede time-offset -18000;
request subnet-mask;
require subnet-mask;

Rationale

By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server. subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many of the options requested and applied by dhclient may be the same for every system on a network. It is recommended that almost all configuration options be assigned statically, and only options which must vary on a host-by-host basis be assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. If appropriate for your site, it is also possible to supersede the host-name directive in /etc/dhcp/dhclient.conf, establishing a static hostname for the system. However, dhclient does not use the host name option provided by the DHCP server (instead using the value provided by a reverse DNS lookup).

Configure Logging

dhcp_server_configure_logging

Description

Ensure that the following line exists in /etc/rsyslog.conf:

daemon.*           /var/log/daemon.log
Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process.

Rationale

By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section

Deny BOOTP Queries

dhcp_server_deny_bootp

Description

Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option:

deny bootp;

Rationale

The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server.

Deny Decline Messages

dhcp_server_deny_decline

Description

Edit /etc/dhcp/dhcpd.conf and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible:

deny declines;

Rationale

The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations.

Do Not Use Dynamic DNS

dhcp_server_disable_ddns

Description

To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option:

ddns-update-style none;

Rationale

The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients.

Minimize Served Information

dhcp_server_minimize_served_info

Description

Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP:

option domain-name
option domain-name-servers
option nis-domain
option nis-servers
option ntp-servers
option routers
option time-offset

Rationale

Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information.

Uninstall DHCP Client Package

package_dhcp_client_removed

Description

If the system does not need to act as a DHCP client, the dhcp-client package can be uninstalled. The dhcp-client package can be removed with the following command:

$ apt-get remove dhcp-client

Rationale

Removing the DHCP client is necessary when the system works or will work in a static network environment. In this case the system has/will have a static IP address assigned.

Uninstall DHCP Server Package

package_dhcp_removed

Description

If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The isc-dhcp-server package can be removed with the following command:

$ apt-get remove isc-dhcp-server

Rationale

Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.

Disable DHCP Service

service_dhcpd_disabled

Description

The dhcpd service should be disabled on any system that does not need to act as a DHCP server. The dhcpd service can be disabled with the following command:

$ sudo systemctl mask --now dhcpd.service

Rationale

Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.

Disable DHCP Client in ifcfg

sysconfig_networking_bootproto_ifcfg

Description

For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes:

Rationale

DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.

Uninstall kea Package

package_kea_removed

Description

If the system does not need to act as a DHCP server, the kea package can be uninstalled.

Rationale

Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.