# SPDX-FileCopyrightText: 2025 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
# ------------------------------------------------------------------
# METADATA
# ------------------------------------------------------------------
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.130331");
script_version("2025-11-21T05:40:28+0000");
script_tag(name:"last_modification", value:"2025-11-21 05:40:28 +0000 (Fri, 21 Nov 2025)");
script_tag(name:"creation_date", value:"2025-05-07 11:44:20 +0000 (Wed, 07 May 2025)");
script_tag(name:"cvss_base", value:"0.0");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:H/Au:S/C:N/I:N/A:N");
script_tag(name:"qod", value:"97");
script_name("Configure TIME_WAIT for TCP");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2025 Greenbone AG");
script_family("Policy");
script_dependencies("compliance_tests.nasl", "compliance_os_check.nasl");
script_mandatory_keys("Compliance/Launch", "policy/ssh/login/euleros_eulerosvirtual_openeuler_hce");
script_xref(name:"Policy", value:"EulerOS Baseline: openEuler Security Configuration Baseline (v1.0.0): 3. Running and Services: 3.5 Kernel: 3.5.17 Configure TIME_WAIT for TCP (Requirement)");
script_xref(name:"Policy", value:"EulerOS Virtual: openEuler Security Configuration Baseline (v1.0.0): 3. Running and Services: 3.5 Kernel: 3.5.17 Configure TIME_WAIT for TCP (Requirement)");
script_xref(name:"Policy", value:"HCE Linux (Huawei Cloud EulerOS): openEuler Security Configuration Baseline (v1.0.0): 3. Running and Services: 3.5 Kernel: 3.5.17 Configure TIME_WAIT for TCP (Requirement)");
script_xref(name:"Policy", value:"openEuler Baseline: openEuler Security Configuration Baseline (v1.0.0): 3. Running and Services: 3.5 Kernel: 3.5.17 Configure TIME_WAIT for TCP (Requirement)");
script_tag(name:"summary", value:"TIME_WAIT indicates the time for TCP to wait for connection
destruction. If this parameter is set to a large value, a large number of TCP connections are not
closed and DoS attacks occur. You are advised to set this parameter to a value less than or equal
to 60.");
exit(0);
}
include("ssh_func.inc");
include("host_details.inc");
include("policy_reporting_module.inc");
title = "Configure TIME_WAIT for TCP";
solution = "1. Set TIME_WAIT to a value less than or equal to 60. Run the following command to
temporarily change the value. After the reboot, the default value is restored.
# sysctl -w net.ipv4.tcp_fin_timeout=60
2. Open the /etc/sysctl.conf file, add or modify the following configuration, and run the sysctl -p
/etc/sysctl.conf command to make the configuration take effect permanently.
net.ipv4.tcp_fin_timeout=60";
check_type = "SSH_Cmd";
action = 'Run the command in the terminal:
# sysctl net.ipv4.tcp_fin_timeout';
expected_value = 'The output should match the pattern "net.ipv4.tcp_fin_timeout = ([0-5][0-9]|60)\\b"';
# ------------------------------------------------------------------
# CONNECTION CHECK
# ------------------------------------------------------------------
if(!get_kb_item("login/SSH/success") || !sock = ssh_login_or_reuse_connection()){
report_ssh_error(title: title,
solution: solution,
action: action,
expected_value: expected_value,
check_type: check_type);
exit(0);
}
# ------------------------------------------------------------------
# CHECK : Verify command "sysctl net.ipv4.tcp_fin_timeout"
# ------------------------------------------------------------------
step_cmd = 'sysctl net.ipv4.tcp_fin_timeout';
actual_value = ssh_cmd(socket:sock, cmd:step_cmd, return_errors:TRUE, return_linux_errors_only:TRUE);
if(eregmatch(string: actual_value, pattern:"(No such file or directory|Permission denied|Command not found|Segmentation fault|service not found|is not running|syntax error near unexpected token|syntax error: unexpected end of file)", icase: TRUE)){
compliant = "incomplete";
comment = "Something went wrong during the audit check. Please try again.";
}else if(actual_value =~ 'net.ipv4.tcp_fin_timeout = ([0-5][0-9]|60)\\b'){
compliant = "yes";
comment = "Check passed";
}else{
compliant = "no";
comment = "Check failed";
}
# ------------------------------------------------------------------
# REPORT
# ------------------------------------------------------------------
target = get_kb_item("policy/ssh/login/os-release");
comment = "Target: " + target + "\n" + comment;
report_audit(action: action,
actual_value: actual_value,
expected_value: expected_value,
is_compliant: compliant,
solution: solution,
check_type: check_type,
title: title,
comment: comment);
exit(0);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation