AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.

STIG ID: ALMA-09-019930  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269256

Vulnerability Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

Check

Verify AlmaLinux OS 9 does not send ICMP redirects.

Check the value of the "send_redirects" variables with the following command:

$ sysctl -a | grep send_redirects

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp1s0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

If the returned lines do not all have a value of "0", this is a finding.

Fix

Configure AlmaLinux OS 9 to not allow interfaces to perform ICMP redirects.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
EOF

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl –system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.