The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215394 | AIX7-00-003089 | SV-215394r958480_rule | CCI-000382 | medium |
| Description | ||||
| The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol. AIX has RDS protocol installed as part of the 'bos.net.tcp.client' fileset. The RDS protocol in primarily used for communication on INFI-Band interfaces. The protocol is manually loaded with the bypassctrl command. To prevent possible attacks this protocol must be disabled unless required. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000382
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-215394r958480_chk)
Determine if RDS is currently loaded:
# genkex | grep rds
If there is any output from the command, this is a finding.
Fix Text (F-16590r294634_fix)
Configure the system to not automatically load the RDS protocol handler.
Check startup scripts for "bypasscrtl load rds" and comment out the "bypassctrl" commands.
Unload the driver from the kernel:
# bypassctrl unload rds