OL 9 must not send Internet Control Message Protocol (ICMP) redirects.

STIG ID: OL09-00-006032  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-271875

Vulnerability Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

Check

Verify that OL 9 does not IPv4 ICMP redirect messages.

Check the value of the "all send_redirects" variables with the following command:

$ sysctl net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.send_redirects = 0

If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.

Fix

Configure OL 9 to not allow interfaces to perform IPv4 ICMP redirects.

Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:

net.ipv4.conf.all.send_redirects = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.