AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces.

STIG ID: ALMA-09-018500  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269243

Vulnerability Discussion

An illicit router advertisement message could result in a man-in-the-middle attack.

Check

Note: If IPv6 is disabled on the system, this requirement is Not Applicable.

Verify AlmaLinux OS 9 does not accept router advertisements on any IPv6 interfaces, unless the system is a router.

Determine if router advertisements are not accepted by using the following command:

$ sysctl -a | grep 'accept_ra '

net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.enp1s0.accept_ra = 0
net.ipv6.conf.lo.accept_ra = 1

If any of the returned lines are not set to "0" and it is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure AlmaLinux OS 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.lo.accept_ra = 0

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl –system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.