RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.

STIG ID: RHEL-09-253060  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-257967

Vulnerability Discussion

Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Check

The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command:

$ sudo sysctl net.ipv4.icmp_ignore_bogus_error_responses

net.ipv4.icmp_ignore_bogus_error_responses = 1

If "net.ipv4.icmp_ignore_bogus_error_responses" is not set to "1", this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.icmp_ignore_bogus_error_response | tail -1

net.ipv4.icmp_ignore_bogus_error_response = 1

If "net.ipv4.icmp_ignore_bogus_error_response" is not set to "1" or is missing, this is a finding.

Fix

Configure RHEL 9 to not log bogus ICMP errors:

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.icmp_ignore_bogus_error_responses = 1

Load settings from all system configuration files with the following command:

$ sudo sysctl --system