AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.

STIG ID: ALMA-09-018940  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269247

Vulnerability Discussion

Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Check

Verify AlmaLinux OS 9 ignores bogus ICMP error responses with the following command:

$ sysctl net.ipv4.icmp_ignore_bogus_error_responses

net.ipv4.icmp_ignore_bogus_error_responses = 1

If the returned line does not have a value of "1", this is a finding.

Fix

Configure AlmaLinux OS 9 to use reverse path filtering on all IP interfaces.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.ipv4.icmp_ignore_bogus_error_responses = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.