RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.

STIG ID: RHEL-08-040262  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-230542

Vulnerability Discussion

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

An illicit router advertisement message could result in a man-in-the-middle attack.

Check

Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.

Note: If IPv6 is disabled on the system, this requirement is not applicable.

Check to see if router advertisements are not accepted by default by using the following command:

$ sudo sysctl net.ipv6.conf.default.accept_ra

net.ipv6.conf.default.accept_ra = 0

If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router with the following commands:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d":

net.ipv6.conf.default.accept_ra=0