OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

STIG ID: OL09-00-006033  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-271876

Vulnerability Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

Check

Verify that OL 9 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.

Check the value of the "default send_redirects" variables with the following command:

$ sysctl net.ipv4.conf.default.send_redirects
net.ipv4.conf.default.send_redirects=0

If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.

Fix

Configure OL 9 to not allow interfaces to perform IPv4 ICMP redirects by default.

Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:

net.ipv4.conf.default.send_redirects = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.